California Digital Age Assurance Act (AB 1043)

Full text here. It’s short, so just read it.

This bill has now passed both cambers of California’s legislature with completely unanimous support. I don’t foresee a future where this gets vetoed.

It requires device vendors to ask for the users age upon initial setup, or before the user can install software. It also requires device vendors to build in a means for any application that asks for it to see this age.

As Purism sells computers with an operating system installed, and I see no difference in obligations for number of users, or whether the software even has a GUI, I don’t see any reason why they don’t have the same requirements, so they can expect this to show up in PureOS or whatever you’re planning on calling it. I doubt anyone will make different California compliant and non complaint operating system versions for this. And I also doubt Purism will be able to control the implementation for providing user age to applications, if an influential organization like IBM wants to store it encrypted and transmitted to apps with signatures from the device TPM (as opposed to say, a text file sitting around /etc somewhere), you’re probably not going to have a choice.

I’m sure you’ll go along with this because it means little for now (until IBM or whoever puts its foot down), and you can’t afford the fines, but this is global. Every single human being on Earth has just now been forced to enter their age into their OS by a decision of 97 people, who only have to answer to less than a hundred million of them.

What has me worried is that its creates a new global norm, where computers verify your age. We BARELY avoided a situation in which any website could ask for this information from any computer, there’s no reason it can’t just happen with no one talking about it. And of course, there will be further demands to add your government ID to your computer to make sure you’re really an adult, because if it’s just a fact of life that computers collect your age, what’s so wrong about comptuers collecting everything?

I guess I’m not really asking for action, because I know nothing will change. Every government seems to want this. Maybe I just want to know if anyone heard about this before I did.

True but it is possible that the software doesn’t even ask unless it has been configured or determined to be in CA. (As part of initial setup, it asks for timezone. For most people in the world that immediately implies “not in CA”, so they shouldn’t be asked.)

I didn’t read the legislation closely enough to know what happens if I am a resident outside of CA but I happen to be passing through CA.

Important to clarify … account setup, not initial setup. Now it is typically the case that initial setup must involve creating at least one account. However it could apply subsequently as well when a second account is set up.

Goodness knows what happens when I am setting up an account that does not correspond to a natural person e.g. a daemon / service / server process account. Maybe that was covered in the legislation.

Storing the age at all is a bit weird since the age can be expected to increase over time.

I guess more logical would be … use the age and the date of entry of the age to calculate the nominal or approximate date of birth - and store that. It will then be possible at any future time to determine the approximate then age.

So, for example, if I say at account setup … I am 15 and the date is 14 September 2025 then it would record DOB as 14 September 2010.

And given that this is at account setup, it can’t really be a file in /etc. It would either need to be a field in the relevant line of /etc/passwd, or alternatively of /etc/shadow or a file in ~. For compatibility reasons I think that either of those two specific files in /etc is too difficult. So probably just a file in ~.

This kind of thing is already a problem in certain other countries.

The real concern for me comes when you have to prove that the age you entered is truthful. (That then takes you down the road of potentially leaking a lot more than just age / DOB.)

After all

means bugger all if the age is just a fictional number entered by the user.

No system should ever be able to see either your DOB or your age. At most the system should be able to see whether you are an adult (in your jurisdiction). Where a jurisdiction creates confusion about what “adult” means - because different things become legal at different ages - it should still be possible just to specify that your age equals or exceeds the maximum of all those threshold ages, hence you are legal for any purpose - and noone has a right to know your age.

Up to a point that is the way the legislation really works, referring to “age brackets” (a CA-specific set of age brackets of course) rather than leaking your actual age.

I guess it could be improved so that once you reach 18, the recorded information must be erased (and it just says ADULT).

I wonder how this would work with something like TAILS or how this would work with a Live Boot. I guess one could argue that “account setup” never happens.

I wonder how this would work with abandonware (admittedly more likely to be an issue outside of the Linux world). I know some people are determinedly sticking with really old versions of Windows because more recent versions of Windows are more like spyware than an operating system and/or for other reasons. What happens to them?

Overall, yes, this sucks. “somebody think of the children” works yet again for intrusive, sucky legislation.

This would have put a damper on the 15 year-old wiz-kid in the HP lab in the 1970s.
(And would he have needed to verify his own age before or after he wrote his own application?)

It doesn’t really specify, so I’d have to presume it applies to anyone setting up accounts (or having already set up an account before January 1 2027) and installing software in California. Or anyone developing software in California. Or anyone in California who has control over a repository. Or possibly even everyone on Earth, limited only by who California is allowed to fine.

And as for abandonware, it’s not specifically exempted, but if it’s from before January 1 2027, I guess they’re covered by ex post facto rules. The repository owner, that’s a bit trickier. It doesn’t seem to say they have to collect user information. But it implies they have to make a good faith effort to comply somehow, and the only way I can think of to be totally sure you’re doing that is for the repository to implement age verification of its own and send that to the developer. Which for abandonware means a lot of messages going nowhere.

They don’t even really say what the developer is supposed to do with that user information. I guess they’re leaving content restrictions (what else would this be for) up to future laws or past ones I haven’t heard of.

I really don’t see any exemption for that.

This bill is going to create a million headaches. It applies to ALL “general purpose” computing devices, but that technically includes smart fridges or even vape pens as long as they are capable of I/O and running a Turing-complete language. Or will we ignore devices that don’t “look like” a computer—in that case my router is an x86 machine with display capabilities, and I’m happy to use that! As pointed out above, what about service accounts? What about devices that don’t normally have a display, where you install Linux by flashing the image then you never touch it again? Do servers count? Does pip or nuget count as an “app store”? (You can literally install software via pip, it’s not just for dev libraries.) None of this is sufficiently specified in the bill, yet it could apply to almost anything in computing, which means this will likely serve as a bludgeon used to tie up undesirables in expensive legal battles.

Purism should be particularly concerned, as I think this is primarily aimed at makers of consumer hardware, and Purism falls squarely in that category. Flathub needs to look into it as well.

I disagree with that interpretation but ultimately it would be up to a court to interpret “general purpose computing device” (GPCD) as it is not defined in the legislation.

I dare say that you are right that hastily drafted or broadly drafted legislation can have unintended consequences.

There is a complication though because a vape pen, for example, could be a GPCD if you reflashed different operating system software on it. As you say, almost any embedded computer these days could be a GPCD. I think the intent is that the device must be a GPCD as supplied.

Also that applies for the purposes of this legislation only if it has an internet connection and can download software.

When you read your link about turning a vape pen into a web server … a vape pen as sold clearly isn’t a GPCD and doesn’t have an internet connection but if you are fairly good with low level hackery, you can turn it into one. If you do so then you could in theory be covered by this legislation. The original manufacturer might have no such obligations.

Also note that the legislation refers to mandatory actions at “account setup”, which might well never occur on a computer no matter how much it is a GPCD. Even if a smart fridge can download applications, a shared device like a smart fridge or a smart TV doesn’t have the concept of an “account”. There is no natural person who has an age and even if there were, it is non-unique (could be anyone in the household) and hence meaningless. It is not a single-user device and there is no process for “logging in” to an account. The legislation explicitly calls out the concept of “primary user”.

The intention in sending the “signal” is that the signal applies to the specific person who is using the device. If it’s not single user and there is no login process then both user and age are meaningless.

I don’t know what the law in CA says but I doubt that it is actually legal to sell a vape pen to a “primary user” who is a “child” in many jurisdictions.

As an aside, some time ago, I stumbled upon some kind of vaping device that had been discarded and it actually had an attached (quite small) screen. I imagined that the intention is to display advertising on the screen but I don’t really know. (The device had been damaged and, after inspecting it, I ewasted it.)

So, yes, the boundary between what is and is not a GPCD is messy and the set of GPCDs will no doubt grow in the future as everything becomes “smart” aka “actually a very dumb idea”. Maybe this legislation will turn the tide on making everything “smart”.

Hi guys. I am not a lawyer but I was told that according to this new California law here, anyone who develops an operating system such as Linux/PureOS which gets used in the state of California by a child will be liable for a fine of $7500 per child or something like that, unless the operating system can couple that child to a sufficiently detailed online identity so as to determine the age of the child and provide it when downloading application software online or something like that.

Is this going to negatively affect Purism and start hitting them with a fine of $7500 per Librem 5 whenever one of these devices is purchased by an adult and then handed to a child in the state of California? If so, is this the beginning of the end of computers and push towards an era where only Android and iPhone are legally permissible devices?

As an Englishman, I’d like to apologise for this creeping overreach.

It started here, when the so-called “Online Safety Act” got past Parliament. And so when another “liberal modern democracy” saw that, they said “Look, they’re doing it too so it must be alright. But we can do it better”.

And that was the narrow end of the wedge.

No one remembers when children drove cars without penalty. Then they came up with the idea of a Drivers Licence. Expect licenses to operate a computer soon. With age restrictions and learner’s permits, and a multi-question exam.

For humour’s sake we can come up with sample exam questions. Feel free to start a new thread on that. Questoin #1: When do you do rm -rf / ?

I am assuming Purism will be leaving California to combat this? Invasion of the first amendment should never be a thought of lawmakers. Technology changes, human rights do not.

I don’t. But I was able to drive farm equipment on rural (non-highway) roads at age 10 … without any license. I think these days it requires passing a “tractor safety course” (24 hrs) and you have to be 12 or older.

I got my automobile drivers license at age 14.

I’m old enough that they would revoke mine for being “too old”.

Some notes on whether it could be done, but nothing on whether it should be done. I could be done and wouldn’t be hard.

1. I suppose the Linux OS vendors could use the GECOS field of /etc/passwd (that’s the field that stored “finger” data). It’s readable by all users so that may not be great. Regardless of where one stores this (/etc/age, /etc/passwd, ~/.age [can be changed by user]). It wouldn’t be hard to implement.
2. There’s not a real API specified (only what information needs to be returned). That means that the OS creator can implement their own. This wouldn’t be hard. What’s funny is that applications would have to follow such an API … for every possible OS.

Government will, at long last, be forced to acknowledge the existence of operating systems other than Windows, MacOS, iOS, and Android! (sarcasm)

As an Australian, I’d like to apologise for this creeping overreach too.

“Banning” youngsters from social media started here - and of course it is dependent on some kind of age verification - and I just know that this bad idea will spread to other countries.

Won’t somebody think of the children …

“Oh, hey! Look over there! Shiny!” - an American

If the file is created by root, to be owned by root, allowing only read access for ugo, and you use chattr +i ~minor/.age after creation of the file, then maybe .age can’t be changed or deleted by the user, minor, at least not using file system operations.

There would be other ways of tackling this without using chattr e.g. a (PAM?) check at login that a) the file exists and b) the file is owned by root and c) has correct permissions. (Similar logic already exists elsewhere in Linux trying to prevent the user shooting him/herself in the foot.)

So, sure, the user, minor, can delete the file (after ignoring the warning) but then the user would never be able to log in again until fessing up to the system administrator.

And as noted above, we don’t really want to store ‘age’. We want to store DOB information so that an updated age is available over time. As such, .age would be a quirky name for the file.

And likewise this is not a comment on whether it should be done.

(I had to install the finger command.)

Worthy of discussion but seems risky to me. It doesn’t seem like the content of this field is completely standardised. So adding ‘age’ (DOB) might conflict with existing site-specific uses.

Note also that the chfn command may allow non-root users to change some of the information in this field for their own record (subject to system-dependent configuration) - so that would limit how this field could meaningfully be used. Only the ‘other’ subfield is guaranteed protected from user write.

At a quick survey of some of my systems … only the ‘name’ subfield of the GECOS field is being used, and the next three fields are being defaulted to empty strings, and the ‘other’ subfield is not present at all – so in practice you might get away with it i.e. it could be safe to put dob=n in the ‘other’ subfield of the GECOS field.

As you say, a disadvantage is that there is no way to keep this information confidential from other users of the system. And this is also a completely unnecessary leak in the event of a data breach (and, believe me, I see attempted directory traversal attacks against /etc/passwd more or less every week).

I guess if you were really keen, a system could generate a system-wide encryption key, store it somewhere that only root can read, and then store the n in dob=n salted and encrypted.

I don’t find that anywhere in the legislation. As far as I can see, whatever is claimed to be the age/dob is basically a fabrication. However we know how this thing works. First the government gets its foot in the door by forcing the stored information even to exist. Then later on they require the stored information to have some integrity.

Fun question. There could be a significant difference between the Librem 5 and all other platforms. All other platforms use an installer such that “account setup” might be something that actually occurs. The change should be readily doable.

On the Librem 5, as it stands today, there is no installer. You just blat a disk image onto the disk, which means that “account setup” never occurs (by default) in any meaningful sense but if it were taken to occur then it is done by Purism - so there could be an obligation on Purism either to change to an installer (could have some benefits anyway) or to put in some code that runs “first time” to simulate “account setup” occurring (even though the sole user account, purism, already exists) or to address the issue in some other way.

OK… How old is “root”?

I live in Califas. Here, all humans with grey matter that has not assumed room temperature ignore Lord Gavin’s stupid laws… and everything else he does. He can have my phone and other computers when he pries them from my cold, dead fingers.

Go ahead Gavin… I DARE you.

Well indeed. I’m not sure that the legislation says it but I think the intention is to cover accounts that pertain to a “natural person”. As I wrote above:

Goodness knows what happens when I am setting up an account that does not correspond to a natural person e.g. a daemon / service / server process account.

It is also not clear who sets up the root account or when that takes place.

Seemingly the penalties are all on the company, not on the user. Noone is coming for you. In addition, I’m guessing that you have obtained 18 years of age, hence the count of each “affected child” would be zero, as far as your contribution to the penalty on the company.

Of course, with any such legislation, what the situation is in the future can be different.