this post was submitted on 22 Mar 2026
905 points (99.7% liked)
Technology
82886 readers
2744 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I also wonder whether or not grapheneos, or open source Linux OSs in general, will face any repercussions for failing to comply to these regulations due to the relatively low user count.
Motorola* bending the knee to the mass surveillance corps and international governments comes to mind. We'll see how their deal with GrapheneOS goes now.
Sure. Let them be sued on profits made 😂
Hate to say it but systemd, the init system of most Linux distros, already has PRs with maintainer backing to implement DoB recording.
Some people can't kneel fast enough.
DoB recording, and ID age verification, are two different things though.
No, they're the same in this context.
Which already has a revert commit https://github.com/systemd/systemd/pull/41179
The self-important creator of Systemd has personally blocked that PR, if I'm hearing correctly, which would suggest he or his employer Microsoft is all in on it.
"I'm not picking a side" and "this future proofs standardization" is of little comfort, that is seriously suspect. I ought to look to alternatives to SystemD(odge the issue failed).
SystemDOGE. It is just a matter of time before Big Balls exfiltrates our Linux data.
He left MS in January
That has already been closed
Maybe this'll take the shine off that wunderkinder mess and people will finally be free to choose something more reliable. I love how RH pushed this beta software so hard and my reboots are now just shite -- unreliable and occasionally ridiculously delayed.
I'll be glad to see the back of that metastatic shitball.
That's just systemd adding a birthdate field to their userdb. Doesn't require that it be filled out or accurate, and especially doesn't require it to be validated against a government database. I don't see it as fundamentally any different from adding a userdb field for favorite color, phone number, or blood type.
Without 3rd party validation, I really don't see the privacy issue with an age field. Without verification, it is, at worst, one more byte available to hash into a unique identifier, but you can feed that field from /dev/random at every query and poison even that hypothetical.
You are absolutely right, we are not in fact getting screwed, they are just applying the lube for later. (Shamelessly stolen from elsewhere)
Why the ever loving fuck does an init system even need a user database?
Honest to God, if FIFA were giving out a World "Understanding UNIX" Prize, Poettering would be the inaugural, and only, winner. Never in the field of operating systems has one man driven so much enshittification through sheer force of cluelessness coupled with supreme arrogance. And in a world that Steve Ballmer still occupies, that's one hell of an accolade.
Systemd is more than an init system. Systemd was designed to be different from previous Unix-style single-/narrow-purpose services. Many distros making the switch seems to indicate that such a switch had significant enough upsides or necessities. No?
I read an article about why Systemd became what it is, and why it makes sense, and that made sense to me. Integration and a fully designed system has advantages over disconnected utilities and systems you have to connect and negotiate, especially on system- and boot-up level concerns.
Whoosh.
Plesse don’t give them any ideas. Here’s a list of what’s currently included
https://systemd.io/USER_RECORD/
Localized age checks ARE a good system and are something that should have been in the OS for decades. It is the basis for being able to make "child accounts" and is a genuine requirement for Linux to be a meaningful option for "normal people". And having a protocol for software/websites to request that is a very good system to build on that.
We talk about how the problem of kids getting exposed to horrendous shit is a problem of "bad parenting". This is the tool you provide to allow parents some control.
The issue is not the age check. The issue is verification. To my understanding, the California legislature explicitly does NOT require a third party. So it is literally just you saying "Sure, whatever. I was born in 1901. Now load the Maya Woulfe video faster". And yes, this is a step towards that. But so is having network access or user accounts at all.
Even if we say I agree with this, why even ask for a specific year? Separate into child and adult, and let the super user make that change when asked.
In theory I’m not opposed to it existing as an option, but I do not like it being mandatory at all. Websites and applications should never be allowed to know any PII without explicit consent.
Different countries (actually different regions within said countries) have different laws related to what "kids" can and can't see and what age defines a "kid". How much that matters is up to you. But it provides an automated check that ALSO avoids having to say "Hey mom? I just turned 18 and for no reason whatsoever it would be great if you could switch my account to an adult. Also make sure to knock and don't look too closely at my laundry basket ever again".
And what do you think you are providing every time you tick "Yes, I am 18 years or older" or "Yes, I was born in 1920 or whatever the first option is now"?
That's there point, with this websites will just know the users age, before it was the users choice: "are you 18 or over?" But now it will be: "I know you're 37.567 years old" user has no idea. Maybe we should add religion and skin color too
The idea of storing age in the OS is that end programs don't actually access it directly. They get age ranges, like child/adult, not the actual birthdate. In theory, it's much more private than uploading your id and photo to every random website/app that you use.
If they age or birthdate is there it could leak, regardless of the API.
Cookies already exist and there is countless leakage (both intentional and unintentional...). Like most things, you are not as private and protected as you seem to think you are. Just because a website is asking you to tell it (which is mostly for compliance, not knowledge) doesn't mean they already know that you said you were 250 years old but your shopping habits suggest you are actually in your 20s and live in Detroit and really enjoy pegging.
To my knowledge, very few nations tie laws or access to that slippery slope fallacy. And parents generally have those same traits (at least while the kid is living with them). So I am not seeing much benefit from this?
And if/when we reach the point where that is the case? Uhm... I don't think companies and software will be given anywhere near as much freedom to say "Sure, we'll comply so that we can be eligible for these contracts" or "No, we won't comply so that we can market ourselves as protecting people"
That doesn't seem like a great argument for doing something that further reduces privacy and protection.
The point is that, without third party verification (which I am vehemently opposed to), it changes absolutely nothing. So it is just people whining about "freedoms" they don't even have.
And... there actually are arguments that it is good to tear down the security/privacy theatre so that people can make informed decisions and understand their actual exposure and risks.
A good example of this is that I am REALLY happy that we, as a society, have seen a drastic shift between calling things "Private Messages" and instead calling them "Direct Messages". The former implies that only you and the recipient can see them. The latter does away with that and people rapidly learn (and communicate) that site owners and often mods can see everything you send along those avenues.
Semantics
Privacy is a human right and I have a choice to who an d which third party collects my data. My own computer with software I build myself doesn’t need mandated age gates.
Only if you actually understand what information you are and aren't exposing about yourself in your every day activities.
Which... yeah, does really feel like understanding the meaning of a text/concept. So... spot on?
Amazing what you can do to protect yourself
Like one, don’t give your information to the machine
This is being baked in because of US law. I wouldn't be surprised if the US made some federal laws requiring your religion in the near future.
There's a big difference between data collection and government mandated identification.
And that is why it is a slippery slope fallacy. Eventually, superpowers are going to want to have access to your machines (they already do, but mostly in isolated cases). So any kind of data storage and overrides should be destroyed. So let's go shred our hard drives and remove the concept of sudo/root access?
Also, I will just add on that it is more than just the US that is increasingly pushing for age verification.
People can run secure systems that share minimal info. This requires all systems to store and share specific info. So you're making it illegal to have a private system. Sure most people don't, but now you're making it illegal. You think that's okay because we don't have good privacy laws right now? You want to give up?
And those generally aren't the machines you want to connect to the internet and use for all your everyday browsing.
Specific, unverified, info. That you are already sharing in most of the situations where it is being asked for.
A lot of things are illegal. Without the third party verification requirement, you are perfectly fine to hardcode that to say you were born on June 9th, 1969 by default. And that complies with the California legislation (last I read through it).
No. I want people to actually understand what is going on so that they can actually protect themselves.
How do you want people to protect themselves?
That is really going to depend on what your actual risk is. There are a decent number of articles and videos out there that go into what journalists have to do and... they are generally ahead of the curve on stuff like that.
But what people SHOULD do is to gain an understanding of what is actually going on. This entire debacle REALLY feels like a mix of people being mislead as to what the California legislature actually is (whether for Views or more nefarious reasons) combined with making it abundantly clear that they know absolutely nothing about their current risks.
Like, you telling pornhub you are over 18 is not telling PornhubCorp anything they don't already know from all the other cookies and fingerprints you are carrying everywhere. Hell, a lot of services are dedicated to tracking by IP to get around incognito mode and even caching to get around VPNs (although, most don't have to bother since people have been trained to just put EVERYTHING through a vpn so that it doesn't matter in the first place). They are literally just ticking a checkbox in the hope of not getting blocked by more payment processors.
So if you truly care about protecting your age? Have multiple devices. Learn how to split your traffic based upon device to get around many fingerprinting techniques. Figure out where to sit at Starbucks so that you have your back to a wall but don't look like a pervert. And so forth.
Rather than freaking out and throwing tantrums because people are trying to inform you about how little a self-reported age at the OS level that can be requested matters.
One fun bit of paranoia. I am sure most people are aware of the "Abnormal behavior has been detected from your IP. Please click here and then do some ML training to prove you are human" prompts that tend to come up on shared connections or if you have too many adblockers running.
Understand a lot of that is you "consenting" to have even more of your specific cookies checked (which is what happens when they "verify" you without a test). But a few years back there was an excellent paper that actually used how you perform on the ML training to further fingerprint you. The person at 1.2.3.4 with these cookies who is probably color blind is distinguished from the person at 1.2.3.4 with most of the same cookies (everyone loves going to Dildos R Us) but gets confused over whether a hotel shuttle is a bus.
And that all goes towards making sure they know exactly who you are and what ads (and trackers) to use.
Can I ask you to explain your point, "age doesn't matter, your digital footprint carries over?" You mention solutions to protect yourself from the digital footprint carry over, but this law would just make it easier to overcome those solutions.
Now instead of having to figure out the various unique patterns of accessing the internet to determine info about you, you just tell them your age (or that you're an adult, whatever) on those systems directly.
I also think it's a bit disingenuous to call 'this is the first step towards something worse' a slippery slope when that is exactly how the creeping erosion of privacy has gone in the US historically, but especially the last few decades.
You acknowledge that a lot of people don't fully understand how to protect themselves (and offer solutions that require more money, time, and education to accomplish) and in the same breath that is why it's okay that we make data collection easier.
I know this probably comes across as accusatory, but I really don't mean it that way. I'm genuinely trying to understand what your perspective is.
I... didn't say that? Not sure if you replied to the wrong person?
But I'll try to respond to what I can?
Assuming we are referring to the California legislature (I believe most/all of the US legislature if on the same grounds. The proposed EU "framework"s are very different), there is no requirement for third party verification.
It is literally the same check we already have. "Enter a random ass date that is more than 18 years ago". This doesn't "overcome" anything and, arguably, is a good law to get on the books so that you can say "Something is being done" before all the legislature and "frameworks" that want to be built around third party verification and "digital passports" do gain traction.
All of this is already happening and HAS already happened. You know all those stories about how google knows you are pregnant before you miss your first period? You know how you can quite often just click "verify you are human" and it processes without making you generate training data?
Hell, you know how targeted ads are a thing?
All of that is the same thing. It is about building profiles that tend to be so ridiculously specific that it isn't even "This user connecting from Norway actually lives in the US and is from Cleveland" and is more "Oh, this is Oswald Harvey using his nordvpn subscription that he got with a discount from a Spiffing Brit video. He tends to favor the endpoints that are 25% down the list"
Both of which speak towards why people need to educate themselves to understand what information is already out there.
Yes? I am sorry that protecting your privacy takes effort? I am sure that if you pay a random sponsor on an LTT video that they'll claim to do everything for you?
Like... I really don't know what to tell you?
Oh whoops, if I did, my bad. That's what I was understanding your comment about "it's literally the same check we already have" to be. You're saying there are already age checks for certain sites (and analysis of your web traffic and associated data being sold) and that this is no different, if I understand correctly. It is worth pointing out that while the California law requires no verification, the New York law potentially requires more than just a declaration of age. It's worse elsewhere in the world.
Right, but you see how this is also a bad thing right? Given that the FBI has now spoken about buying this data and uses it to target people, I would think that we would all want better privacy protections, not fewer.
I don't see how that should sway opinion about this being a good or a bad thing. It's a bad thing for everyone, right?
No, I am saying that. I was saying that calling this a slippery slope doesn't feel like it is based in the history of privacy erosion. I'd love to learn more about the original sin in all of this, but just because it isn't the first step doesn't mean we shouldn't fight against consolidated, government-mandated privacy violations, right?
I think you're misunderstanding me. I'm not complaining that it's difficult. I'm asking why we don't try and just fix the problem instead of letting something like this slide by because there are other, similar issues.
Correct-ish.
I would amend that to be "All of this information is already out there and you provide it, without thinking, often multiple times per day". But with the added caveat that this ONLY changes if a third party verification is required.
To my knowledge (and skimming what I can find), the New York bill also does not require third party verification. At least, as of 2025-S8102A.
But yes, fully agree regarding the rest of the world. People get EXTRA pissy if you point out the EU isn't magically doing exactly what they want it to do and always siding with "consumers" but... the frameworks and legislature being pushed through there are deeply alarming.
Do not expect companies (and company adjacent) orgs to protect your rights.
But also? The FBI doesn't need to "buy this data". They can just buy the same marketing data everyone already has on them (unless you go above and beyond to obfuscate that).
And this legislature has absolutely zero bearing on any of that.
No, it is not. Like I pointed out above: We always say "parents should watch what their kids are watching so that I can keep getting my goon on with tiktok" and all that nonsense. And do you know what the first step to ACTUALLY protecting kids online is? That's right. Restricting accounts based on age.
Adding a user provided birthdate to your account in systemd is no more dangerous than having a field for location or phone number. Having an API to fetch this from the OS IS concerning but is also very much in that realm of "This genuinely makes browsing the internet easier"as, depending on implementation, your computer can auto-verify you so you don't have to wipe the lube off your hand when you change sites.
And... its almost like those of us on open source OSes can maybe consider a way to go even farther with controlling what gets sent...
Correct. But I would bet my bottom dollar that at least a few of the folk insisting this is the evil US (fair) forcing their will upon the world don't realize their own governments might actually even be ahead of the game. Like apparently a bunch of live service games disabled chat in the UK in the past day or two?
Again, that privacy already eroded away years ago. Pretending otherwise is just lying to yourself and increasing your own risks.
The door to your home fell off and all your windows are shattered. Does it make ANY sense to freak out that your ex still has a key to your front door?
And that is why... it is more than a bit tinfoil hat but I really do wonder how much of this "outrage" is being intentionally stoked to distract from the very real concerns. If you actually care about your privacy then you need to educate yourself on what you should have been doing for years now. And consider getting on that.
Yes, let's try to fix it. Complaining about a single field being added to a user profile (that already has user provided location, phone number, email, etc) ain't it.
Focusing on the third party verification component.. is part of it.
But also understanding that all of this is out there and never coming back is more important.
One of the biggest con jobs facebook has ever done is to pretend that they let you delete your account. And they do. Except... not really. Because User 1234 who has the real name field of "Fred Jones" was deleted. But User 1235 "Daphne Blake" isn't and she has lots of pictures of her and Fred. And Old Man Wilkinson also has pictures of his home that some meddling potheads raided last month. So removing metadata from THEM would violate their digital rights.
So (simplifying), User 1234's "real name" field is indeed voided. But their profile remains the same so all associations with Daphne and Shaggy and all the mansions remain the same. Same with the knowledge that some blonde haired d-bag with an ascot went to school with Red Herring. And that he is related to Skip and Peggy Jones. And that his name is suspected to be "Fred Jones" for the purposes of making sure to protect his identity in case someone registers as him and can't provide ID to prove that.
But folk just fixate on "Delete your profile so that zuckerberg can't control you!" and ignore all that.
Because understanding things is hard.
Yeah, to be completely honest, the one place where you actually could trust this kind of information is on your own local (and ideally libre-oriented) OS, never leaving your device and instead obfuscated through an API that's exposed to whatever services need to do an age check, with the potential for additional security impositions or other concessions from data requesters due to the leverage of still having your data controlled by you. This is the bonus FOSS part where we get a say on how we want our data to be exposed on our libre systems. Other users aren't so lucky and don't get to have any voice on how this implementation happens, so we should probably participate in the discourse for those PRs rather than condemn them point blank.
Any age check is just a good way for predators to know WHO are the actual children, and with the epstein files revealing the whole billionaire and politician interest in trafficking and raping minors, this is essentially the perfect playground for them.
^^^ If you needed proof that lemmy is overrun with bots just like everywhere else.
I imagine people behind this law are pretty interested in this small but powerful user base. I would just boldly assume that a lot of people responsible for independent software and privacy advocates are using Linux etc. So its a interesting user base for sure. But regulating open source software luckily is pretty much impossible and they wont give up their(our) privacy without a fight. Also, we will see how much the user base will grow when these regulations get tighter.
They can simply say on their download pages that residents of Brazil and California are not allowed to use their OS.