Linux Age Verification: FOSS in the Brave New World

title: "Linux Age Verification: FOSS in the Brave New World"
source: https://youtu.be/ud7NEaHKP-k?si=gjesCbTZZOtVn8F7
author:
  - "[[ExplainingComputers]]"
published: 2026-03-21
created: 2026-03-22
description: Patreon - https://www.patreon.com/cw/FaultlinesStudioIn 1926, Erwin Schrodinger wrote the most successful equation in the history of physics. Then he spent 3...
tags:
  - Computer

REFERENCES: Carl Richell blog post “System76 on Age Verification Laws”: https://blog.system76.com/post/system76-on-age-verification

Canonical response to California Act: https://discourse.ubuntu.com/t/ubuntus-response-to-californias-digital-age-assurance-act-ab-1043/77948

Ageless Linux website: https://agelesslinux.org/index.html

Adendix Homepage: https://www.adenixgnulinux.org

MidnightBSD GitHub page: https://github.com/MidnightBSD/src?tab=License-1-ov-file

The Periodic Table of Distros on DistroWatch: https://distrowatch.com/images/other/periodic-table-of-distro.png

Carl Richell tweet on open source and Colorado bill: https://x.com/carlrichell/status/2031125624711164182

LEGISLATION: California Assembly Bill No.1043: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043

Colorado Senate Bill 26-051: https://leg.colorado.gov/bill_files/110990/download

Brazil Digital Statute of the Child and Adolescent (ECA Digital - Law No. 15,211/2025): https://tinyurl.com/yc2vt4m8

UK Online Safety Act -- https://www.legislation.gov.uk/ukpga/2023/50/contents

Australia Online Safety Amendment (Social Media Minimum Age) Act 2024: https://www.legislation.gov.au/C2024A00127/asmade/downloads

You can find all of the ExplainingComputers Linux episodes on this page: https://explainingcomputers.com/linux_videos.html

Transcript

Titles & Intro

0:12 · Welcome to another video from explaining computers.com.

0:17 · This time I'm going to talk about the impact of age verification legislation on Linux operating systems.

0:26 · Already new laws in California and Brazil require operating system providers to record the age of a user during account setup and to provide age bracket verification signals to applications including websites.

0:43 · Similar legislation is currently progressing in Colorado, Illinois, and New York and more broadly has many backers around the world.

0:53 · All of this will prove very challenging for many Linux distros both practically and philosophically.

1:01 · So let's examine the current state of play and where we may be headed in the future.

Rising Legislation

1:13 · Over the past few years, legislators have sought to protect children from harmful online content. Signature legislation has included the UK's Online Safety Act, as well as the Australia Online Safety Amendment, Social Media Minimum Age Act, which ban those under 16 from accessing major social media platforms. This and other legislation has clearly started a global trend, which is now starting to directly impact operating systems.

1:45 · No reasonable person can argue against a good intention to protect children from pornography, illegal content, and the potentially harmful aspects of social media. However, many are questioning the impact of associated legislation on adults, as well as its likely effectiveness and technical practicality.

2:06 · It does indeed seem that increasingly those making our laws lack the required technical knowledge and competence to do so appropriately in the digital age.

2:18 · Turning specifically to operating systems, California's digital age assurance act was established under Assembly Bill 1043, signed into law in October 2025 and takes effect from January the 1st, 2027.

2:35 · The act defines an operating system provider to be a personal entity that develops, licenses, or controls the operating system software on a computer, mobile device, or other generalpurpose computing device. And it then requires an operating system provider to do several things with two key ones being to provide an accessible interface at account setup that requires an account holder to indicate the birth date, age or both of the user of that device for the purpose of providing a signal regarding the user's age bracket to applications available in a covered application store. And secondly, to provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies at a minimum which of the following categories pertains to the user with the categories being under 13, 13 to 16, 16 to 18, and 18 plus.

3:40 · Moving on, the Colorado Senate Bill 26051 is very similar. Was passed in the Colorado Senate on March the 3rd, 2026, and at the time of making this video awaits a vote in the Colorado House of Representatives.

3:56 · The legislation is scheduled to take effect from January the 1st, 2028, and as we can see, is worded very similarly indeed to what's already been passed into law in California.

4:11 · Also very similar in its treatment of operating systems is Brazil's digital statute of the child and adolescent which became law on September the 17th, 2025 and came into force on March the 17th, 2026.

4:26 · This states that providers of internet application stores and terminal operating systems shall take proportional auditable and technically secure measures to ascertain the age or age range of users and enable to a secure API the provision of an age signal to providers of internet applications.

4:50 · The principle of requiring an operating system to elicit the age of a user and to use this information to provide age verification signals is clearly consistent across the first wave of legislation in this area. And like it or not, I think we should assume that these requirements are likely to be repeated in laws covering far more territories in the future.

Compliance Practicalities

5:20 · The legislation we've just looked at raises all kinds of practical questions and concerns.

5:27 · For a start, it's focused on age declaration, not age verification, and so may simply encourage those creating accounts to lie.

5:37 · And if a parent creates an account for a child, wants to stop the child installing a virtual machine or accessing an operating system running on a cloud server and declaring a different age in that current legislation also doesn't deal with the issue of an account being created on a computer that's used by multiple users. Indeed, when Gavin Nuome, the governor of California, signed his state's bill into law, he wrote this letter to the state assembly, urging its members to make amendments to address accounts used by multiple users on the same PC, as well as use a profile shared across multiple devices.

6:17 · So, even senior lawmakers recognize that early legislation is flawed.

6:24 · Implementing what the legislation requires is also likely to be difficult for Linux in particular for a number of reasons. For a start, Linux development is decentralized with no central OS provider like Microsoft, Apple or Google that can mandate and implement a technical solution and take legal responsibility for it. There are also hundreds of distros, many with very small development teams, who may lack the resources or will to implement what the legislation requires. Indeed, many Linux developers may be philosophically opposed to implementing aid declaration and reporting. After all, many people choose Linux specifically because they don't want their operating system to demand, store, and report personal information.

7:15 · It can even be argued that the new laws discriminate against Linux. Microsoft, Apple, and Google already have various parental control and agegate features and things like that in place, but Linux distros do not. Largely because most have not integrated themselves into wider cloud ecosystems and so the relative costs of compliance are far higher for Linux.

The Linux Response

7:48 · So what are different Linux distros actually going to do? Well, options range from implementing age declaration and reporting features to using disclaimers to ignoring the new laws in the hope they won't be enforcable to violating the new laws on grounds of principle.

8:09 · In respect of the last option there, I want to make it absolutely clear. I'm in no way encouraging anybody to do anything that's illegal or will become illegal where they live. But already we've got the ageless Linux website offering a script to turn any Debianbased DRO into one that will be non-compliant.

8:28 · and they also have a running inventory of US state laws that require operating system providers to collect age data from users.

8:38 · Such an approach is not likely to be taken by any Linux distro that's directly provided by or associated with a commercial organization.

8:48 · I would therefore predict the Dubuntu from Canonical, Red Hat Enterprise Linux from Red Hat, the Souza Linux Enterprise Server from Souza and Pop OS from system 76 will have to put age declaration into their account creation and to provide age bracket signals to applications and due to their close associations with Red Hat and Soua respectively, Fedora and Open Soua will probably also choose to comply.

9:20 · This said, at the time of making this video, whilst a lot of unofficial discussion has taken place in forums, none of the companies and distros I've just mentioned have stated what they will do. Most explicit so far have been Canonical who have published this statement on the California Act. As it notes, Canonical is aware of the legislation and is reviewing it internally with legal counsel, but there are currently no concrete plans on how or even whether Ubuntu will change in response.

9:54 · Meanwhile, over at System 76, CEO Carl Richell has published this extremely good blog post. This says nothing about what will happen with Popo OS, but it's a very good read indeed on operating system age verification laws, which I will of course link in the video description.

10:15 · And I very much agree with Carl that the best solutions lie with educating our children about life with digital abundance rather than passing laws that will in no meaningful way make young people safer online.

10:32 · Beyond compliance or violation, the other option is to publish a disclaimer.

10:38 · For example, here on the addendix website, if we scroll down, we can see that their distros are flagged as not for use in California or any other regions with age verification laws that affect operating systems. Our distros will not have age checks in place.

10:58 · A similar approach has been adopted by Midnight BSD, which I am aware is not a Linux distro, but Midnight BSD is far from a small development team. And if we look at their GitHub page, what they've done is worthy of note. As we can see, distribution is now under the terms that residents of any countries, states or territories that require age verification for operating systems are not authorized to use midnight BSD.

11:30 · Adopting the disclaimer approach certainly has its attractions, and I imagine it's what many smaller Linux distros may choose, or indeed in practical terms have to do. However, there will be downsides. Not least, if a DRO doesn't provide age verification signals, then applications, including websites, may treat its users as being under 13. They may default to the safest option and because of that deliver a much reduced internet experience, a nerfed internet experience. And therefore, in the future, users may not wish to use a DRO that's opted for a disclaimer rather than compliance.

The Road Ahead

12:14 · For years, people have been complaining about Windows and other mainstream operating systems gathering and then sharing online far too much personal information. And yet it now appears that legislation is going to force Linux distros to join the party to start gathering and sharing personal information online which is completely against the principles of many people who choose Linux in the first place. And doing this will not I think in any meaningful way protect children which in my view very much is the role of parents maybe of some content providers but protecting children and gathering personal information sharing it should not be the role of an operating system.

12:59 · Now, as the periodic table of distros reminds us, most Linux operating systems are based on Debian or Ubuntu with many of the others based on Arch, Red Hat, Fedora, Slackware, or Gentu. And so, it will probably be what these distros decide to do that will really matter.

13:20 · As I've already noted, Ubuntu, Red Hat Enterprise Linux, and Fedora will almost certainly have to comply. So the big one to watch is Debian and I cannot believe that its very fossentric development community will be happy to include age declaration and age bracket reporting.

13:40 · However, this does not mean that they won't grudgingly do so.

13:45 · On the positive side, there may still be amendments to some legislation.

13:50 · Back on March the 9th, Carl Ritchell from System 76 met with Colorado Senator Matt B, who apparently suggested excluding open-source software from the Colorado bill.

14:04 · This would of course be excellent. But we're not just talking about US legislation with Brazil's digital statute of a child and adolescent already in force. And I do fear that the cat is now out of the bag.

14:21 · I also worry that what we're seeing with early legislation is just the thin end of the wedge because right now operating systems are starting to be required to do age declaration. It isn't really age verification at all. But they could be required in the future once they've started going down this route to do proper age verification requiring people to actually upload IDs and that kind of stuff to actually verify who they are to the operating system when they install it and create accounts which is getting much much worse. We may look back on the early legislation say if only it had stopped there. I hope we don't but there's no guarantee it isn't going get worse and worse and worse. Now in my view we should not be regulating what happens in an operating system.

15:00 · Regulating content provision that's a slightly different thing. I can see the point in that content providers have always had to think about um different age bands and and how they deliver content appropriately to different people. But an operating system is used for all kinds of things and it shouldn't I think have to take on that sort of a that role of checking who the user is before they they ask for a service. But then that's just my opinion. But I think we're heading into a world because of all this where we're going to see more and more people having to use hacks and things to get around things operating systems are are not allowing them to do.

15:38 · We're going to see more use of virtual machines. We're going to see more use of VPNs, although maybe more use of VPNs because if you're here in the UK, you will know that right now the government just started a consultation that includes potentially agegating VPNs, requiring VPNs to do age verification.

15:58 · It's a sad world we are in.

16:02 · Anyway, I probably don't have to say it, but if you've got views on this stuff, please let us know down in the comments section. And please don't shoot the messenger. I'm just letting you know what's going on.

16:14 · But now that's it for another video. If you've enjoyed what you've seen here, please press that like button. If you haven't subscribed, please subscribe.

16:25 · And I hope to talk to you again very soon.