alt Hacker NewsI think that malicious compliance all the way might have been the better option here. If a birth date is all that is needed, let the user enter a random one. If actual biometric verification is needed alongside, let the user also paste the code to a fake biometric validator that always returns valid.
It is the same philosophy as with an app that forcibly wants an invasive permission to the detriment of the user. Let the app have the permission while in a sandbox so it sees nothing.
Replies
Asking the device owner for the user's birth date is precisely what the (California) law requires.
Biometrics are not required.
The concept appears to be that a parent or guardian could enter the birth date before turning the device over to a child.
Malicious compliance would be providing this age bracket API:
boolean is_user_over_18() { sleep (18 * 365.25 * 86400); return true; }
This is a real-time interface (as required by the law) that takes 18 years to complete. (Remember: "Real-time" does not mean "fast").
You'd need to closely read the law and have a lawyer advise you, but a neat attempt might be to just ask for the date of birth, send that "in real time" to the App Store program, and then have that program simply discard it?
I don't think current iterations of the law require that this be sent off-device in any way.
Agree. I didn't even think of that. Embarrassing. Your approach might have been the best option.
Giving in in any capacity is unacceptable. The GrapheneOS foundation is based in Canada and is not obligated to record this information, so they wont. They have no reason to comply, be it malicious or otherwise.