California Digital Age Assurance Act (AB 1043)

Full text here. It’s short, so just read it.

This bill has now passed both cambers of California’s legislature with completely unanimous support. I don’t foresee a future where this gets vetoed.

It requires device vendors to ask for the users age upon initial setup, or before the user can install software. It also requires device vendors to build in a means for any application that asks for it to see this age.

As Purism sells computers with an operating system installed, and I see no difference in obligations for number of users, or whether the software even has a GUI, I don’t see any reason why they don’t have the same requirements, so they can expect this to show up in PureOS or whatever you’re planning on calling it. I doubt anyone will make different California compliant and non complaint operating system versions for this. And I also doubt Purism will be able to control the implementation for providing user age to applications, if an influential organization like IBM wants to store it encrypted and transmitted to apps with signatures from the device TPM (as opposed to say, a text file sitting around /etc somewhere), you’re probably not going to have a choice.

I’m sure you’ll go along with this because it means little for now (until IBM or whoever puts its foot down), and you can’t afford the fines, but this is global. Every single human being on Earth has just now been forced to enter their age into their OS by a decision of 97 people, who only have to answer to less than a hundred million of them.

What has me worried is that its creates a new global norm, where computers verify your age. We BARELY avoided a situation in which any website could ask for this information from any computer, there’s no reason it can’t just happen with no one talking about it. And of course, there will be further demands to add your government ID to your computer to make sure you’re really an adult, because if it’s just a fact of life that computers collect your age, what’s so wrong about comptuers collecting everything?

I guess I’m not really asking for action, because I know nothing will change. Every government seems to want this. Maybe I just want to know if anyone heard about this before I did.

True but it is possible that the software doesn’t even ask unless it has been configured or determined to be in CA. (As part of initial setup, it asks for timezone. For most people in the world that immediately implies “not in CA”, so they shouldn’t be asked.)

I didn’t read the legislation closely enough to know what happens if I am a resident outside of CA but I happen to be passing through CA.

Important to clarify … account setup, not initial setup. Now it is typically the case that initial setup must involve creating at least one account. However it could apply subsequently as well when a second account is set up.

Goodness knows what happens when I am setting up an account that does not correspond to a natural person e.g. a daemon / service / server process account. Maybe that was covered in the legislation.

Storing the age at all is a bit weird since the age can be expected to increase over time.

I guess more logical would be … use the age and the date of entry of the age to calculate the nominal or approximate date of birth - and store that. It will then be possible at any future time to determine the approximate then age.

So, for example, if I say at account setup … I am 15 and the date is 14 September 2025 then it would record DOB as 14 September 2010.

And given that this is at account setup, it can’t really be a file in /etc. It would either need to be a field in the relevant line of /etc/passwd, or alternatively of /etc/shadow or a file in ~. For compatibility reasons I think that either of those two specific files in /etc is too difficult. So probably just a file in ~.

This kind of thing is already a problem in certain other countries.

The real concern for me comes when you have to prove that the age you entered is truthful. (That then takes you down the road of potentially leaking a lot more than just age / DOB.)

After all

means bugger all if the age is just a fictional number entered by the user.

No system should ever be able to see either your DOB or your age. At most the system should be able to see whether you are an adult (in your jurisdiction). Where a jurisdiction creates confusion about what “adult” means - because different things become legal at different ages - it should still be possible just to specify that your age equals or exceeds the maximum of all those threshold ages, hence you are legal for any purpose - and noone has a right to know your age.

Up to a point that is the way the legislation really works, referring to “age brackets” (a CA-specific set of age brackets of course) rather than leaking your actual age.

I guess it could be improved so that once you reach 18, the recorded information must be erased (and it just says ADULT).

I wonder how this would work with something like TAILS or how this would work with a Live Boot. I guess one could argue that “account setup” never happens.

I wonder how this would work with abandonware (admittedly more likely to be an issue outside of the Linux world). I know some people are determinedly sticking with really old versions of Windows because more recent versions of Windows are more like spyware than an operating system and/or for other reasons. What happens to them?

Overall, yes, this sucks. “somebody think of the children” works yet again for intrusive, sucky legislation.

This would have put a damper on the 15 year-old wiz-kid in the HP lab in the 1970s.
(And would he have needed to verify his own age before or after he wrote his own application?)

It doesn’t really specify, so I’d have to presume it applies to anyone setting up accounts (or having already set up an account before January 1 2027) and installing software in California. Or anyone developing software in California. Or anyone in California who has control over a repository. Or possibly even everyone on Earth, limited only by who California is allowed to fine.

And as for abandonware, it’s not specifically exempted, but if it’s from before January 1 2027, I guess they’re covered by ex post facto rules. The repository owner, that’s a bit trickier. It doesn’t seem to say they have to collect user information. But it implies they have to make a good faith effort to comply somehow, and the only way I can think of to be totally sure you’re doing that is for the repository to implement age verification of its own and send that to the developer. Which for abandonware means a lot of messages going nowhere.

They don’t even really say what the developer is supposed to do with that user information. I guess they’re leaving content restrictions (what else would this be for) up to future laws or past ones I haven’t heard of.

I really don’t see any exemption for that.

This bill is going to create a million headaches. It applies to ALL “general purpose” computing devices, but that technically includes smart fridges or even vape pens as long as they are capable of I/O and running a Turing-complete language. Or will we ignore devices that don’t “look like” a computer—in that case my router is an x86 machine with display capabilities, and I’m happy to use that! As pointed out above, what about service accounts? What about devices that don’t normally have a display, where you install Linux by flashing the image then you never touch it again? Do servers count? Does pip or nuget count as an “app store”? (You can literally install software via pip, it’s not just for dev libraries.) None of this is sufficiently specified in the bill, yet it could apply to almost anything in computing, which means this will likely serve as a bludgeon used to tie up undesirables in expensive legal battles.

Purism should be particularly concerned, as I think this is primarily aimed at makers of consumer hardware, and Purism falls squarely in that category. Flathub needs to look into it as well.

I disagree with that interpretation but ultimately it would be up to a court to interpret “general purpose computing device” (GPCD) as it is not defined in the legislation.

I dare say that you are right that hastily drafted or broadly drafted legislation can have unintended consequences.

There is a complication though because a vape pen, for example, could be a GPCD if you reflashed different operating system software on it. As you say, almost any embedded computer these days could be a GPCD. I think the intent is that the device must be a GPCD as supplied.

Also that applies for the purposes of this legislation only if it has an internet connection and can download software.

When you read your link about turning a vape pen into a web server … a vape pen as sold clearly isn’t a GPCD and doesn’t have an internet connection but if you are fairly good with low level hackery, you can turn it into one. If you do so then you could in theory be covered by this legislation. The original manufacturer might have no such obligations.

Also note that the legislation refers to mandatory actions at “account setup”, which might well never occur on a computer no matter how much it is a GPCD. Even if a smart fridge can download applications, a shared device like a smart fridge or a smart TV doesn’t have the concept of an “account”. There is no natural person who has an age and even if there were, it is non-unique (could be anyone in the household) and hence meaningless. It is not a single-user device and there is no process for “logging in” to an account. The legislation explicitly calls out the concept of “primary user”.

The intention in sending the “signal” is that the signal applies to the specific person who is using the device. If it’s not single user and there is no login process then both user and age are meaningless.

I don’t know what the law in CA says but I doubt that it is actually legal to sell a vape pen to a “primary user” who is a “child” in many jurisdictions.

As an aside, some time ago, I stumbled upon some kind of vaping device that had been discarded and it actually had an attached (quite small) screen. I imagined that the intention is to display advertising on the screen but I don’t really know. (The device had been damaged and, after inspecting it, I ewasted it.)

So, yes, the boundary between what is and is not a GPCD is messy and the set of GPCDs will no doubt grow in the future as everything becomes “smart” aka “actually a very dumb idea”. Maybe this legislation will turn the tide on making everything “smart”.