A new California law says all operating systems need to have age verification

There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place." There are just too many examples. For instance:

- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)

- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems

- Now, you need to verify your age... on your microwave?

At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.

California is a confusing state, age verification for operating systems while almost releasing this monster on the public: https://www.latimes.com/california/story/2026-02-26/serial-c...

Yikes, these government folks just sign without even thinking or having a single clue about how the rule will work. They are completely irresponsible.

Richard Stallman's "Right to Read" is disturbingly prescient, as usual.

Ignoring all the tedious 'no, you're a bad person for having different priorities and beliefs to me' comments that this will inevitably inspire, I have to ask: why does the operating system need to be involved in this? The intended target of the regulation seems to be app stores.

Someone has fallen victim to Politician's Logic: https://www.youtube.com/watch?v=vidzkYnaf6Y

> [..] requires an account holder to _indicate_ [..]

i.e. this doesn't require age verification at all

just a user profile age property

> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]

so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)

if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for

- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct

- without face scans or similar AI

- without device attestation/non open operating systems/hardware

like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)

but this gets surprisingly close to allowing "good enough privacy respecting" age verification

the main risk I see is that

- I might have missed some bad parts parts

- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).

---

"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law

----

it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.

---

Enforcement is also easy:

Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.

As noted at the end of the article, I suspect the impact for many OS's is going to be that they add a line in the fine print somewhere saying not for use in California.

> (g) This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains.

So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?

Fantastic.

Sounds to me that this is how kids learn to spin their own operating systems (a la LFS, Gentoo)and apps.

This is how people bought personal computers when the mainframe priesthood banned them.

It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.

The latin reveals my age, but one thing about my age:

People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.

"My generation" created this entire internet thingy, installed and web-based apps.

Indeed, dumb-asses are going to level up young people.

How wouldn't this also apply to things like useradd(8) or simply automated user account setup, e.g. like cups, sshd, etc? Do we need to add this to vi for use in vipw on UNIX?

Are lawmakers bored? Who is asking for this? Not the tax paying citizens.

It's not stated here, but is it implied that app platforms that, themselves, have an "app store", would be required to read this datum and pass it to their app store?

For example, I've got a map application on my phone that lets me download maps, widgets, POI lists, etc. from their app store. It seems like enabling that age signal through this exchange is exactly what the politicians are looking for.

Maybe this is just an unsuspectedly astute way to get Microsoft to reenable local accounts?

Ah, so this is what Lennart Poettering has been cooking? [1]

[1] https://news.ycombinator.com/item?id=46784572

It's not clear that this applies where the "operating system provider" does not have "accounts". Linux should be OK, but "Ubuntu One" might have problems.

It's a good reason not to put cloud dependencies into things.

Does not require verification, no biggie, this is essentially a parental control system.

Is Github an application store? Is npm? apt? yum?

If not, why not? You need age verification before you even create an account.

I guess California will release California OS with age verification.

I'm under the impression anyone doing nefarious things online are probably more-than tech savvy enough to not install an OS that rats them out...right?

Isnt that literally one of the first rules of the DNM Bible?

Was there HN discussion at the time the bill was introduced / passed?

Looking forward to resisting the regime.

I really hate this new world where one jurisdiction - California, Europe, wherever - makes a law and suddenly every other jurisdiction has to comply because the law-making jurisdiction is big enough that tech companies can't abandon it.

And since it doesn't make sense to have dozens of different versions of their apps, they write to the strictest jurisdiction's laws.

If everyone has the power to make laws that apply to everyone...it's chaos.

Many of you commenting haven't read the legislation and it shows.

I hope the headline is just ragebait cause I feel infuriated

The actual bill: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

Bill text (it’s longer, but the rest is mostly definitions of the terms used here):

1798.501. (a) An operating system provider shall do all of the following:

(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.

(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:

(A) Under 13 years of age.

(B) At least 13 years of age and under 16 years of age.

(C) At least 16 years of age and under 18 years of age.

(D) At least 18 years of age.

(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.

(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.

(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.

(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:

(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.

(B) Share the signal with a third party for a purpose not required by this title.

Next it will be all devices able to run Doom.

These lawmakers are not even wrong.

To be wrong, one must understand what one is talking about.

Sigh.

Hmm i think at te moment its only Linux that has by default local only accounts except if being used in some sort of SSO environment .

Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.

Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.

Buffy Wicks obviously should not be legislating APIs. But I think it's funny how badly this misinterprets the situation. The local user account on a computer has never been less relevant than it is today.

> That's likely no big deal for Windows, which already requires you to enter your date of birth during the Microsoft Account setup procedure

That isn’t age verification at all

This sounds like one of those laws that get used not so much to force compliance, but to punish noncompliance as part of a larger case.

Apparently the redacted politicians that were caught raping and murdering little boys and girls in the Epstein files are entitled to a higher level of privacy than either you or me.

How will this work with the numerous "Hobby" Operating Systems out there ?

Sure, I'll ask where the user is located, and if they choose California, I'll ask them for their age. And if they choose over 21 I'll scold them for voting for Gavin.

Aha... Interesting, I'm the sysadmin of myself so I verify myself that I'm entitled to be root on my iron. Sometimes politicians reveal themselves in their future program dreaming things like mandatory online accounts on corporatocracty-controlled servers for all...

Trump - making heroic efforts to give Newsom the presidency in 2028. Newsom valiantly resisting those efforts.

Is this a weird attempt at device verification?

So now I have to prove who I am just to use something I purchased? Am I gonna have to prove my age/identity to my new laundry machine (it runs on OS)?

Extremely stupid that this will fall on the OS.

Accomplishes three things: Demonizes age verification, big tech gets to dodge it, cedes more control of your PC.

One could cope that this regulation can not apply to Linux or other OSS operating systems. But this is only true unless the bootloaders on consumer devices are mandated to be closed next.

We already have Secure Boot, the infrastructure is in place. It is currently optional, but a law like this can change that.

"The road to hell is paved with good intentions." - unknown

How will this work with ephemeral VMs? If you spin up a few hundred a day, will each one prompt you for birthday ? And whose birthday ? The CEO?

You know the non-governmental organization "Save the Children"? Maybe it's time to create a new one called "Fuck the Children" to defend people from these laws designed to mine privacy under the pretense of protecting minors.

It's getting to be time for tech firms to leave California.

Next step will be reporting potentially unlawful activities.

Ok. No more linux in california. Forget silicon valley. Forget all the supercomputers at research establishments. Forget all the smart TVs. Forget all the cars with in-dash computers. Let's see how long california can keep its lights on without embedded linux.

In all seriousness, rather than comply, linux distros should enforce this law. Any linux install that detects itself being in california should automatically shutdown with a loud error message. I give it a week before a madmax situation develops.