It seems obvious that having Apple, Microsoft and Google collect and verify age anonymously is better than some weird third party service provider like Yoto.

Not saying I agree with this law. I think I would structure it that age regulated content requires this signal from the device provider in an anonymous format as an opt-in to age regulated content and not as a requirement for every single computing device.

A lot of the comments in here seem to be focused on mobile devices, but this law applies to basically every general computing device.

Here are the definitions from the bill in a more reasonable order than they are presented there:

> "DEVICE" MEANS ANY GENERAL-PURPOSE COMPUTING DEVICE THAT CAN ACCESS A COVERED APPLICATION STORE OR DOWNLOAD AN APPLICATION.

> "COVERED APPLICATION STORE" MEANS A PUBLICLY AVAILABLE INTERNET WEBSITE, SOFTWARE APPLICATION, ONLINE SERVICE, OR PLATFORM THAT DISTRIBUTES AND FACILITATES THE DOWNLOAD OF APPLICATIONS FROM THIRD-PARTY DEVELOPERS TO USERS OF DEVICES.

> "APPLICATION" MEANS A SOFTWARE APPLICATION THAT MAY BE RUN OR DIRECTED BY A USER ON A DEVICE.

> "DEVELOPER" MEANS A PERSON THAT WRITES, CREATES, MAINTAINS, OR CONTROLS AN APPLICATION.

The law applies to Operating System providers that runs on such a device:

> "OPERATING SYSTEM PROVIDER" MEANS A PERSON THAT DEVELOPS, LICENSES, OR CONTROLS THE OPERATING SYSTEM SOFTWARE ON A DEVICE.

Basically every Linux distro falls under this. Never mind the fact that OS providers don't really have control over where you run their code. If my device doesn't have a network card, does that mean my OS can skip this?

This also is not privacy preserving. It does require the device only report what age bracket a user belongs too, but on a long enough time frame, anyone currently under that age of 18 has their age accurately disclosed, often down to their birthday.

Worse, all applications MUST query this information every time it is run, regardless of whether or not age is at play. Every time you run grep, grep needs to know how old you are:

> A DEVELOPER SHALL REQUEST AN AGE SIGNAL WITH RESPECT TO A PARTICULAR USER FROM AN OPERATING SYSTEM PROVIDER OR A COVERED APPLICATION STORE WHEN THE DEVELOPER'S APPLICATION IS DOWNLOADED AND LAUNCHED.

Now, oddly, user is defined to be minors:

> "USER" MEANS A MINOR WHO IS THE PRIMARY USER OF A DEVICE.

But, the way the law is written, the implementation necessarily applies to everyone.

This shift toward OS-level verification is an interesting architectural pivot. It’s arguably more privacy-preserving to have a "local-first" verification—where the device confirms a threshold age without sharing the underlying identity documents with every third-party site.

The real challenge will be ensuring this doesn't inadvertently entrench the gatekeeping power of major OS vendors or create a single point of failure for identity tracking. However, from a data-minimization standpoint, it feels like a more robust approach than the current fragmented landscape of requiring users to upload sensitive IDs to dozens of different websites.

This is why we shouldn't use passkey. The authorities (not only the US) are clearly aiming to lock down the hardware we can use. Remember, passkey has a function to restrict the freedom to choose the authenticator we want to use.

What a failure as a species that parents are not trusted or believed to be capable of raising their children. Therefore let's build out the panopticon.

Like the web attestation API Google tried and got so much backlash for? Good luck, I guess.

I do not install apps on my phone regardless if whatever that means and I do not browse from my phone. It might be time to just make a git repo of all the sites that participate in this weird fascistic behavior and block them in uBlock until the governments stand up and say pop i.e. pull their head out of their ass. Anything other than RTA [1] headers is a non starter for me.

The only thing governments should be doing is legislating that apps commonly used by small children be required to look for the RTA header and trigger parental controls if the device owner enabled them. That's it. Not perfect, nothing is or will be but it's more than we have now, does not leak PII and utilizes existing laws that already apply to parents.

[1] - https://news.ycombinator.com/item?id=46152074

Query: Are there any current legal challenges to this rapid spread of age verification that have a chance of hitting the Supreme Court?

From my admittedly poor understand of legal stuff, these are largely proactive measures happening at company and state level. Congress nor Supreme Court have issued any rulings around this yet.

Well, it's one step closer to parents, although I doubt it will ever get there.

Colorado is cordially invited to eat shit.

Richard Stallman's "Right to Read" from 1999 is worth another read.

Only viable solution: ID tagged kids carry ID tagged phone, use ID tagged PC.

>Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established

This seems to happen on some WEB sites now, but many people here probably do not sign up on these sites, of if they due, they live on the moon and are thousands of years old or born in the future :)

Now, the law is still in the legislature and I really doubt it will be passed. I believe this because of lobbying by both Microsoft and Apple. For non US people, lobbying now == bribes which is now somewhat legal depending how it is done.

So lets pretend and speculate, but I doubt that law will ever become real.

I am sure OpenBSD will completely ignore this law. NetBSD and FreeBSD probably too, but since both are based in the US, they could be chased down.

Since I believe Linux is pretty much owned by Large Corporations, I think they are at risk of being forced to comply. Plus most non-tech people have heard of Linux so that adds to the risk. So, BSDs may have some years of "freedom" due to them flying under the radar or could be ignored completely.

In any case, if passed, VPNs will be happy.

Finally, sensible. I never understand why websites or apps had to do it. It's way easier, more scalable and cheaper for the OS to do it.

Are these lawmakers funded by Apple and Google?

This is already the law in Brazil.

General purpose computing is dead.

What absolute creeps. Major major amplification of the war on general purpose computing. It's absurd how governments are so willing to just make demands of products, are so intent on being product managers making their lists of how they want the world to run.

There's just shy of 200 countries in the world. That's a lot of product managers already! But if provinces/regions/us states all decide they too can define how software has to work, we are up to thousands of little emperors all telling the world how we have to think, how we have to compute.

It's frelling disgusting.

This effort here has similar vibes to Chrome's Digital Credentials API. Which can be privacy preserving, but where site's can demand basically whatever they want. Either way, each site is returned material, that it then has to verify. So we are back to only approved identity working. And it seems unlikely credential issuers will willingly work with anything but 1st tier browsers/OSes. https://developer.chrome.com/blog/digital-credentials-api-sh...

It feels like a sure creeping doom that the internet is not going to be available in many places, except by commercial OSes that use DRM and attestation to deny users access to their own systems. This is against mankind, and imo, against every spiritual fiber that made man a great creature & arose us to what we are. To deny us a view of the world is to deny us from being toolmakers, is to mame our senses. This is an affront to our humankind. This making the machines infernal.

It seems to me that this is timed curiously close to google getting rid of side loading on android. Is this something that’s being planned behind the scenes?

I mean, if android allows sideloading anyone would be easily able to get around these checks am I right?

Fuck right off, Colorado and every "think of the children" surveillance state and mass privacy invasion supporter.

Or anyone demanding cloud AI DRM for 3D printers and CNC machines.

Flock cameras and Ring Search Party too.

Certain potential capabilities are simply too dangerous to be given to any company, any government, or any person for any reason. Remember PRISM?

These are illiberal assaults on personal freedoms and privacy that must be vigorously and completely resisted just like when the Clipper chip was thoroughly trounced.