SahwaGrapheneOS refuses to comply with new age verification laws for operating systems — group says it will never require personal information
bonn2I was wondering when I would see this headline. I wonder if any other big names do similar
KabeI also wonder whether or not grapheneos, or open source Linux OSs in general, will face any repercussions for failing to comply to these regulations due to the relatively low user count.
Hate to say it but systemd, the init system of most Linux distros, already has PRs with maintainer backing to implement DoB recording.
Some people can’t kneel fast enough.
Localized age checks ARE a good system and are something that should have been in the OS for decades. It is the basis for being able to make “child accounts” and is a genuine requirement for Linux to be a meaningful option for “normal people”. And having a protocol for software/websites to request that is a very good system to build on that.
We talk about how the problem of kids getting exposed to horrendous shit is a problem of “bad parenting”. This is the tool you provide to allow parents some control.
The issue is not the age check. The issue is verification. To my understanding, the California legislature explicitly does NOT require a third party. So it is literally just you saying “Sure, whatever. I was born in 1901. Now load the Maya Woulfe video faster”. And yes, this is a step towards that. But so is having network access or user accounts at all.
Even if we say I agree with this, why even ask for a specific year? Separate into child and adult, and let the super user make that change when asked.
In theory I’m not opposed to it existing as an option, but I do not like it being mandatory at all. Websites and applications should never be allowed to know any PII without explicit consent.
Even if we say I agree with this, why even ask for a specific year? Separate into child and adult, and let the super user make that change when asked.
Different countries (actually different regions within said countries) have different laws related to what “kids” can and can’t see. How much that matters is up to you. But it provides an automated check that ALSO avoids having to say “Hey mom? I just turned 18 and for no reason whatsoever it would be great if you could switch my account to an adult. Also make sure to knock and don’t look too closely at my laundry basket ever again”.
That’s there point, with this websites will just know the users age, before it was the users choice: “are you 18 or over?” But now it will be: “I know you’re 37.567 years old” user has no idea. Maybe we should add religion and skin color too
Cookies already exist and there is countless leakage (both intentional and unintentional…). Like most things, you are not as private and protected as you seem to think you are. Just because a website is asking you to tell it (which is mostly for compliance, not knowledge) doesn’t mean they already know that you said you were 250 years old but your shopping habits suggest you are actually in your 20s and live in Detroit and really enjoy pegging.
Maybe we should add religion and skin color too
To my knowledge, very few nations tie laws or access to that slippery slope fallacy. And parents generally have those same traits (at least while the kid is living with them). So I am not seeing much benefit from this?
Like most things, you are not as private and protected as you seem to think you are.
That doesn’t seem like a great argument for doing something that further reduces privacy and protection.
That doesn’t seem like a great argument for doing something that further reduces privacy and protection.
The point is that, without third party verification (which I am vehemently opposed to), it changes absolutely nothing. So it is just people whining about “freedoms” they don’t even have.
And… there actually are arguments that it is good to tear down the security/privacy theatre so that people can make informed decisions and understand their actual exposure and risks.
A good example of this is that I am REALLY happy that we, as a society, have seen a drastic shift between calling things “Private Messages” and instead calling them “Direct Messages”. The former implies that only you and the recipient can see them. The latter does away with that and people rapidly learn (and communicate) that site owners and often mods can see everything you send along those venues.
Semantics
Privacy is a human right and I have a choice to who an d which third party collects my data. My own computer with software I build myself doesn’t need mandated age gates.
I have a choice to who an d which third party collects my data.
Only if you actually understand what information you are and aren’t exposing about yourself in your every day activities.
Which… yeah, does really feel like understanding the meaning of a text/concept. So… spot on?
This is being baked in because of US law. I wouldn’t be surprised if the US made some federal laws requiring your religion in the near future.
There’s a big difference between data collection and government mandated identification.
This is being baked in because of US law. I wouldn’t be surprised if the US made some federal laws requiring your religion in the near future.
And that is why it is a slippery slope fallacy. Eventually, superpowers are going to want to have access to your machines (they already do, but mostly in isolated cases). So any kind of data storage and overrides should be destroyed. So let’s go shred our hard drives and remove the concept of sudo/root access?
People can run secure systems that share minimal info. This requires all systems to store and share specific info. So you’re making it illegal to have a private system. Sure most people don’t, but now you’re making it illegal. You think that’s okay because we don’t have good privacy laws right now? You want to give up?
People can run secure systems that share minimal info.
And those generally aren’t the machines you want to connect to the internet and use for all your everyday browsing.
This requires all systems to store and share specific info.
Specific, unverified, info. That you are already sharing in most of the situations where it is being asked for.
So you’re making it illegal to have a private system. Sure most people don’t, but now you’re making it illegal.
A lot of things are illegal. Without the third party verification requirement, you are perfectly fine to hardcode that to say you were born on June 9th, 1969 by default. And that complies with the California legislation (last I read through it).
You think that’s okay because we don’t have good privacy laws right now? You want to give up?
No. I want people to actually understand what is going on so that they can actually protect themselves.
That is really going to depend on what your actual risk is. There are a decent number of articles and videos out there that go into what journalists have to do and… they are generally ahead of the curve on stuff like that.
But what people SHOULD do is to gain an understanding of what is actually going on. This entire debacle REALLY feels like a mix of people being mislead as to what the California legislature actually is (whether for Views or more nefarious reasons) combined with making it abundantly clear that they know absolutely nothing about their current risks.
Like, you telling pornhub you are over 18 is not telling PornhubCorp anything they don’t already know from all the other cookies and fingerprints you are carrying everywhere. Hell, a lot of services are dedicated to tracking by IP to get around incognito mode and even caching to get around VPNs (although, most don’t have to bother since people have been trained to just put EVERYTHING through a vpn so that it doesn’t matter in the first place). They are literally just ticking a checkbox in the hope of not getting blocked by more payment processors.
So if you truly care about protecting your age? Have multiple devices. Learn how to split your traffic based upon device to get around many fingerprinting techniques. Figure out where to sit at Starbucks so that you have your back to a wall but don’t look like a pervert. And so forth.
Rather than freaking out and throwing tantrums because people are trying to inform you about how little a self-reported age at the OS level that can be requested matters.
Can I ask you to explain your point, “age doesn’t matter, your digital footprint carries over?” You mention solutions to protect yourself from the digital footprint carry over, but this law would just make it easier to overcome those solutions.
Now instead of having to figure out the various unique patterns of accessing the internet to determine info about you, you just tell them your age (or that you’re an adult, whatever) on those systems directly.
I also think it’s a bit disingenuous to call ‘this is the first step towards something worse’ a slippery slope when that is exactly how the creeping erosion of privacy has gone in the US historically, but especially the last few decades.
You acknowledge that a lot of people don’t fully understand how to protect themselves (and offer solutions that require more money, time, and education to accomplish) and in the same breath that is why it’s okay that we make data collection easier.
I know this probably comes across as accusatory, but I really don’t mean it that way. I’m genuinely trying to understand what your perspective is.
Can I ask you to explain your point, “age doesn’t matter, your digital footprint carries over?”
I… didn’t say that? Not sure if you replied to the wrong person?
But I’ll try to respond to what I can?
You mention solutions to protect yourself from the digital footprint carry over, but this law would just make it easier to overcome those solutions.
Assuming we are referring to the California legislature (I believe most/all of the US legislature if on the same grounds. The proposed EU "framework"s are very different), there is no requirement for third party verification.
It is literally the same check we already have. “Enter a random ass date that is more than 18 years ago”. This doesn’t “overcome” anything and, arguably, is a good law to get on the books so that you can say “Something is being done” before all the legislature and “frameworks” that want to be built around third party verification and “digital passports” do gain traction.
Now instead of having to figure out the various unique patterns of accessing the internet to determine info about you, you just tell them your age (or that you’re an adult, whatever) on those systems directly.
All of this is already happening and HAS already happened. You know all those stories about how google knows you are pregnant before you miss your first period? You know how you can quite often just click “verify you are human” and it processes without making you generate training data?
Hell, you know how targeted ads are a thing?
All of that is the same thing. It is about building profiles that tend to be so ridiculously specific that it isn’t even “This user connecting from Norway actually lives in the US and is from Cleveland” and is more “Oh, this is Oswald Harvey using his nordvpn subscription. He tends to favor the endpoints that are 25% down the list”
I also think it’s a bit disingenuous to call ‘this is the first step towards something worse’ a slippery slope when that is exactly how the creeping erosion of privacy has gone in the US historically, but especially the last few decades.
Both of which speak towards why people need to educate themselves to understand what information is already out there.
You acknowledge that a lot of people don’t fully understand how to protect themselves (and offer solutions that require more money, time, and education to accomplish) and in the same breath that is why it’s okay that we make data collection easier.
Yes? I am sorry that protecting your privacy takes effort? I am sure that if you pay a random sponsor on an LTT video that they’ll claim to do everything for you?
Like… I really don’t know what to tell you?
The idea of storing age in the OS is that end programs don’t actually access it directly. They get age ranges, like child/adult, not the actual birthdate. In theory, it’s much more private than uploading your id and photo to every random website/app that you use.
SalamenceFuryAny age check is just a good way for predators to know WHO are the actual children, and with the epstein files revealing the whole billionaire and politician interest in trafficking and raping minors, this is essentially the perfect playground for them.
Yeah, to be completely honest, the one place where you actually could trust this kind of information is on your own local (and ideally libre-oriented) OS, never leaving your device and instead obfuscated through an API that’s exposed to whatever services need to do an age check, with the potential for additional security impositions or other concessions from data requesters due to the leverage of still having your data controlled by you. This is the bonus FOSS part where we get a say on how we want our data to be exposed on our libre systems. Other users aren’t so lucky and don’t get to have any voice on how this implementation happens, so we should probably participate in the discourse for those PRs rather than condemn them point blank.
That’s just systemd adding a birthdate field to their userdb. Doesn’t require that it be filled out or accurate, and especially doesn’t require it to be validated against a government database. I don’t see it as fundamentally any different from adding a userdb field for favorite color, phone number, or blood type.
Without 3rd party validation, I really don’t see the privacy issue with an age field. Without verification, it is, at worst, one more byte available to hash into a unique identifier, but you can feed that field from /dev/random at every query and poison even that hypothetical.
Why the ever loving fuck does an init system even need a user database?
Honest to God, if FIFA were giving out a World “Understanding UNIX” Prize, Poettering would be the inaugural, and only, winner. Never in the field of operating systems has one man driven so much enshittification through sheer force of cluelessness coupled with supreme arrogance. And in a world that Steve Ballmer still occupies, that’s one hell of an accolade.
KissakiSystemd is more than an init system. Systemd was designed to be different from previous Unix-style single-/narrow-purpose services. Many distros making the switch seems to indicate that such a switch had significant enough upsides or necessities. No?
I read an article about why Systemd became what it is, and why it makes sense, and that made sense to me. Integration and a fully designed system has advantages over disconnected utilities and systems you have to connect and negotiate, especially on system- and boot-up level concerns.
That’s just systemd adding a birthdate field to their userdb. Doesn’t require that it be filled out or accurate
You. Don’t. Get. It.
Plesse don’t give them any ideas. Here’s a list of what’s currently included
You are absolutely right, we are not in fact getting screwed, they are just applying the lube for later. (Shamelessly stolen from elsewhere)
PortNullWhich already has a revert commit github.com/systemd/systemd/pull/41179
Revert "userdb: add birthDate field to JSON user records (#40954)" by paramazo · Pull Request #41179 · systemd/systemd
This reverts commit acb6624, reversing changes made to ba1caf0. Revert "userdb: add birthDate field to JSON user records (#40954)" After extensive community discussion, legal review and c...
The self-important creator of Systemd has personally blocked that PR, if I’m hearing correctly, which would suggest he or his employer Microsoft is all in on it.
tabularIt’s an optional field in the userdb JSON object. It’s not a policy engine, not an API for apps. We just define the field, so that it’s standardized iff people want to store the date there, but it’s entirely optional.
“I’m not picking a side” and “this future proofs standardization” is of little comfort. This is seriously suspect and now I have to look for alternatives to SystemD(odgetheissue).
Maybe this’ll take the shine off that wunderkinder mess and people will finally be free to choose something more reliable. I love how RH pushed this beta software so hard and my reboots are now just shite – unreliable and occasionally ridiculously delayed.
I’ll be glad to see the back of that metastatic shitball.
yardratianSomaDoB recording, and ID age verification, are two different things though.
I imagine people behind this law are pretty interested in this small but powerful user base. I would just boldly assume that a lot of people responsible for independent software and privacy advocates are using Linux etc. So its a interesting user base for sure. But regulating open source software luckily is pretty much impossible and they wont give up their(our) privacy without a fight.
Also, we will see how much the user base will grow when these regulations get tighter.
woelkchenGenuine question:
is Graphene a “big name”? They talk a big game and are probably one of the biggest alternative phone OSes but all results I can find are putting them at 250k users and less than 2% of the Android market share.
But, more importantly: Do they at all care about US government contracts? Red Had have RHEL. ubuntu have whatever they call their premium OS for enterprise users. Google and Apple are obvious.
LuciI would go so far as to say they are only big enough to make an updoot-bait headline at that.
Linux Distros (so far) Refusing Age Verification
- Ageless Linux - https://agelesslinux.org/index.html
- Omarchy Linux - https://omarchy.org
- Adenix GNU/Linux - https://www.adenixgnulinux.org
- Artix Linux - https://artixlinux.org