Mastodawn

California's AB 1043 (Digital Age Assurance Act) is annoying, but nowhere near the danger of other age verification proposals. The requirement is for a signal of age/age bracket from OS to application. It is not verification as we usually define it.

You can make slippery slope arguments, but before you do, worth reading the stated arguments for/against the bill.

Also this bill has been law for some time now??? Goes into effect in 2027, but it became law in October 2025!

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043

Bill Text - AB-1043 Age verification signals: software applications and online services.

AB 1043 Age verification signals: software applications and online services.

Show thread

Epic Null Mar 2

@mttaggart Is that link meant to link to something related to the article?

@Epic_Null Fixed.

@mttaggart it hasn’t gone into effect yet, it happens jan 1 2027 I believe. I was also surprised that it actually passed already, but i agree with your assessment: it’s not *great* but it does avoid a ton of the more serious harm from other proposals, and arguably heads off the need for those other, worse things. the panic about it seems confused about what it actually does

Show thread

Taggart Mar 2

@glyph All I'm seeing is foot-in-the-door arguments. Also, FWIW, this thing is practically unenforceable outside of managed app stores. It's not like GitHub is going to check the age signal before cloning software, yet "covered application store" would include code forges.

Show thread

Glyph Mar 2

@mttaggart the worries I'm seeing is that "linux is illegal now!!!" because of the "per affected child" penalty (but also a bunch of worries about AI and whatnot that are totally irrelevant here).

My own reading is that the "per affected child" thing is liability for online services *receiving* the signal, not for the OS vendors and certainly not per copy of the OS. Does that track with your understanding?

Show thread

Taggart Mar 2

@glyph Mmm, not quite. My reading of 1798.503. (a) is that both OS and app developers can violate the title in different ways.

The OS developer, if failing to create the signal/implement the API, could be found in violation. And the app developer, if failing to request/process the signal, could be in violation. The difference between negligent and intentional violation is interesting, but mostly for defense attorneys.

Show thread

Glyph Mar 2

@mttaggart Ah, good point. In that case I guess maybe some of the concern is warranted? It irks me that so much of it is tinged with this underlying assumption that nobody can ever regulate what a Linux distribution does because Linux must always be Free, though. Like maybe this law should be repealed but also vendors really *should* have some kind of capacity to at least respond to this sort of regulation, because *some* version of "your platform must have this API" is probably very good

Show thread

Glyph Mar 2

@mttaggart (by "this API" I do not mean age-verification, I mean literally any API to do anything)

Show thread

Taggart Mar 2

@glyph I haven't put this together yet, but my instinct is that the conceptual distance between something like this and GDPR is much smaller than most think.

Also not for nothing, but California has a vested interest in not completely destroying industries that are, ah, not for minors.

Show thread

Glyph Mar 2

@mttaggart yeah exactly.

I am trying to not let my opinions harden too much here until more experts have weighed in though. Maybe there are some unintended-side-effect bombs hiding in here that I haven't considered.

Show thread

katzenberger Mar 3

@mttaggart

You are mistaken. 1798.501. (b) clearly states that applications are assumed to have knowledge of the age span the user in front of the screen falls into.

That provides enough leverage for taking out applications, one by one, by stating they require legal age for usage. All it takes is a relentless series of campaigns employing the most prominent of the Four Horsemen of the Apocalypse, "Think of the children!!!".

Appeasement and compliance in advance is not an appropriate answer here. TBH I'm appalled by swaths of developers suggesting implementations already, e.g. for #Debian.

Show thread

Taggart Mar 3

@katzenberger Counterpoint: the desire to age-gate applications already exists independently of this measure. Discord is instructive here, as the amount of power granted to the age verifier in that case is substantial. Compare that structure to this one. AB 1043 doesn't create leverage; it takes it away.

Remember that the signal being requested is not independently verified in any way, shape, or form. It just exists, and 1798.501 (b) (3) indicates that the signal shall be authoritative. This takes power away from skeevy entities like Persona and states who would leverage them.

I also think the (b)(2)(B) and (b)(3)(B) are important here:

(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

At first this sounds bad! "Hey, if you can tell the user is lying, you can't ignore it." But what that means in practice is the developer shouldn't have any way of knowing whether the user is lying. Put another way, it's the privacy-invasive applications that will have the hardest time complying with this.

Show thread

katzenberger Mar 3

@mttaggart

That is only a counterpoint if one accepts, upfront, that every platform needed to implement it.

The title won't even go into effect until next year. And developers are already discussing implementation details at length: barely whether it affects them (Linux); barely ways how to contest or fight it.

The issue with AB 1043 is not that it is "inacceptably intrusive". Allegedly being "less intrusive" is the intended pseudo-debate, besides the piling up of implementation details, both designed to signal "this ship has sailed", or "resistance is futile", whatever you prefer.

The issue is that it creates leverage even on platforms that, so far, have resisted such intrusions; and that, so far, have not been know for compliance in advance.

The issue is that every such bridgehead serves a purpose that goes way beyond it. That's what it is: a bridgehead.