Reaction 1: how would this even work with embedded systems that have no UI to input this data?
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.
While there are some enforcement questions here, especially around non commercial OSes, most of your reactions are clearly based on the headline alone.
It defines operating system in the law. This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it.
Enforcement applies as civil fines per-child usage. So no suppression of speech by banning distribution.
(Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
It defines the following terms: "account holder", "age bracket data", "application", "child", "covered application store", "developer", "operating system provider", "signal", and "user".
> This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles.
Presumably, this based on reading the language that in the definition of "operating system developer", and then for some reason adding in "game consoles" (the actual language in both of those includes "a computer, mobile device, or any other general purpose computing [device".
(I've also rarely seen such a poorly-crafted set of definitions; the definitions in the law are in several places logically inconsistent with the provisions in which they are applied, and in other places circular on their own or by way of mutual reference to other terms defined in the law, such that you cannot actually identify what the definitions include without first starting with knowledge of what they include.)
> "Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application
There is a reasonable argument that a linux distribution is, itself, a host application. This is clearly an argument against their intention... but makes perfect sense to me. With this argument, the law does not apply to pretty much any environment where the applications are scheduled and run by a supervising process, at least by my reading.
In typical jury trials, the jury is instructed that any terms not defined in the relevant statutes are to have their common-sense, ordinary meanings as understood by the jury. The jury is usually also selected to be full of reasonable, moderate people, and folks who are overly pedantic usually get excused during voir dire.
Do you really think a pool of 12 people off the street is going to consider an embedded system, wi-fi router, or traffic light as an "operating system" under this law? Particularly since they don't even have accounts or users as a common-sense member of the public would understand them?
Not sure why you are appealing to the rule on terms that aren’t defined, since the actual question is whether or not thet consider the vendor of the software powering the device as an “operating system vendor” which is, in fact, defined in the law, and the answer there seems to be hinge on whether or not they think it is a general purpose compute device, which would seem almost certain to be no for a traffic light, and likely to be no (but more debatable and potentially variable from instance to instance) in the other cases you list.
> Particularly since they don't even have accounts or users as a common-sense member of the public would understand them?
Not sure what having accounts or users “as a common sense member if the public would understand them” is relevant to since, to the extent having a “user” is relevant in the law, it to is defined (albeit both counterintuitively and circularly) in the law, and having an “account” isn’t relevant to the law at all.
I've gone through the process a few times. It does not instill confidence in the system. And that's not including the emotional manipulation tactics that typically take place in jury trials.
MOST cases don't make it to jury. They're more likely to be resolved via motions and countermotions and the decisions of a jduge.
To dumb down "operating system" for normies, they're probably going to say something along the lines of "the software that makes your computer work.. like Windows." If it stays at that level, we'll have a specific, discrete definition in play.
A broader, equally correct definition could be "the software that makes technology work.. there's an operating system on your computer, your cell phone, your Alexa, and even your car." Then yes, some people will think of their Ring doorbell, the cash register at the coffee shop, and other embedded systems, even if they've never heard the word "embedded."
The definition that shows up will depend entirely on a) the context of the case and b) the savviness of the attorneys involved.
Defendants can always opt for a judge to rule on the case.
At that point, what the law actually says matters a lot (unless the judge is corrupt, which is becoming more common in the US, but with corrupt judges, it doesn’t really matter how good or bad the laws is).
You'll be arrested for some weird law that doesn't make sense, but it's ok because a pool of 12 people off the street won't consider whatever random thing you did a real crime!
" It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it"
Everything is a general purpose computer. Just look at how many things have been made to run doom. I haven't read the law specifically but if it actually does say this then that language is useless and means practically everything.
Wood is edible when processed correctly, but it's not legally considered "food" because there are a bunch of nontrivial steps to get it into that state. Likewise, any reasonable interpretation of "general purpose computer" in this context by a judge would not include your microwave oven just because someone with skill and finesse could transform it into a cursed Doom arcade machine.
Laws are interpreted by people trained to fill in the blanks[1] with a best guess of the legislative body's intent. And the intent here seems pretty clear: to regulate computing devices that let end users easily install software from a centralized catalog.
[1] which we all do subconsciously in day-to-day speech, because all language is ultimately subjective
They exempt applications that run inside another “host application” though, which is ~ everything in any modern app store.
I guess Linux native games on GoG might be covered. All windows and wsl programs run in userspace compat layers. iOS might be covered. Snap, probably not (containers), AppImage? Maybe?
All laws are vague and interpreted, and in common law (as in the UK and US) interpreted based on precedent rather than the specific text of the original law.
If people with power over you want to "selectively punish you" they don't need new laws.
And if you want perfectly proscriptive, defined laws in all situations with no "human interpretation" you're in the wrong universe, and may as well be shouting at clouds. The world, and especially human society and interactions, just doesn't follow strict definitions like that.
There are degrees of vagueness, but laws generally attempt to avoid being vague with many definitions and strict construction. If a law is sufficiently vague it may be invalidated, or it is at least required to be interpreted to the benefit of the defendant under lenity.
Vague laws are not required for selective enforcement. You can have strictly defined laws result in selective enforcement through law enforcement and prosecutorial discretion.
until you root out their friends and maliciously develop app stores for their products, then install them multiple billions of times on a docker and let them rack up charges ;) doom can run on -anything-
Frotz and Zork/Tristam Island and tons of Z3 machine games cna run on a pen, on a FPGA based display and even under a PostScript file where the interpreter was done in PostScript. Heck, with Subleq and EForth some Z3 interpreter can be coded to run the games on simple hardware made with high school/advanced trade electronics kits.
> (Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
It's not enough to adhere to the age signal:
> (3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
The only way to mitigate this liability is to confirm your users are of age with facial and ID scans, that is why age verification systems are implemented that way: doing so minimizes liability for developers/providers and it's cheap.
> Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
This is true, but
> The only way to mitigate this liability is to confirm your users are of age with facial and ID scans,
This doesn’t follow. It says “if” the developer has clear reason, it doesn’t obligate the developer to collect additional information or build a profile.
I read this as - if you in the course of business come across evidence a user is under age, you can’t ignore it. For example - “you have to ban a user if they post comments saying they are actually underage”
That would have to be litigated in court, and the easiest and cheapest way to avoid litigation is to do what all platforms currently do: make sure the person using their system is who they say they are via face scans and ID checks.
As a developer, that is not the kind of liability I want to take on when I can just plug ID.me, or whatever, into my app and not worry if someone writes "im 12 lol" in a comment on my platform.
Is a repository on a linux machine an app store? Are custom repositories app stores? Does this mean that now most automated deployments are now not automated? If they can be automated, does that mean that having the automation by default makes sense?
The law defines a user as a child running software on a general purpose computer.
> “User” means a child that is the primary user of the device.
It’s definitely more vague that necessary, but I’d imagine courts would readily find automated software deployment by an adult or corporation does not constitute a child using the device. Especially if done for servers or a fleet. Because then it’s pretty obvious that a child is not the primary user of the computer nor the software. Even if that software is a server that involves childish activities (eg game servers).
But I’d imagine that Linux package managers associated with a desktop operating system provider would fall under this law. And that raises questions about the software distributed by said package managers.
What’s going to happen when there’s no UI, just a shell, and they pacman -S <mything>? This law is unconstitutional based on criteria of vagueness. If they want it to stick, they need to call out the commercial app stores of Microsoft, Apple, Google, etc where a credit card is attached. Otherwise it’s too vague a term unless they define “store”.
This doesn't follow. There are clear technicaö means to achieve complience in all of these scemarios. All those installers can, for example, check a file in /etc to determine the pirported user's age. If this does need external verification, this file can be signed by a third party identity checking service.
If the distros ship this mechanisms enabled in their binaires, but the users install circumvention tools (e.g. a package manager without checking mechanisms) from a thurd party, the distro provider should be off the hook.
The language in the bill says operating system “or” application store. Isn't that then implying any operating system that would download applications, even if it doesn’t come from a store. But IANAL.
Seems to me this would include TVs, cars, smart devices, etc. The Colorado version of this bill excludes devices used for physical purchase, so your gas pumps and POS systems would be excluded in CO. But I didn’t see that in the CA bill.
They’re both overly broad, ill-considered, frankly terrible bills that make as much sense as putting your birthday into a brewery site or Steam. Enter your birthday and we trust you. Now do that for every single one of those 100 VMs you just deployed…
Continually surprised by politicians wanting an OS to do what a parent should be doing. Why not just mandate that all devices with access control capabilities implement parental controls, and then mandate that all adults enable controls before handing a device to a minor? For devices that are incapable of user access control, the same rules as a knife, chainsaw or gun apply.
Only wealthy parents (upper middle class or better) have the time or energy to do anything other than work, put food on the table, and do basic child care.
Most parents lack the technical expertise to police digital devices.
This isn’t so heavy handed. The purpose of age signaling is so that a parent can set in one place an age, and then federal privacy protections under COPPA and state protections under the AADC kick in.
The big three will love this. They'll implement the feature, then they get to dob in Linux and friends and get them buried in regulatory lawsuits.
All three already have identity linked accounts. Windows practically shoves it down your throat on install, for example. They'll love the excuse to finally disallow web-free accounts.
It’s only enforced by the CA Attorney General, and I’d be surprised to see a threat, let alone a lawsuit, against Linux on this. Not to say this is ideal.
> I doubt the california legislature knows what a Linux even is.
All Congress critters have staff to help write the bills and fill out the policy. You can bet your sweet bippy that there are people on staff in the California legislature who know what a Linux even is.
Exactly. This is obviously targeted at these three, and in those cases will be a massive improvement over forcing every site operator to start collecting photo ID.
It’s the V-chip and Clipper chip madness all over again. While they are at it can they start requiring the rich, famous, and powerful to get age verification before interacting with people to prevent another Epstein?
It’s clear you last poked your head out of a hole in the ground 30 years ago. Check out the iPhone and the Internet while you’re up here, they will blow your mind.
> Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
That's not what will happen. We've already seen examples of what will happen. So let me just list them instead:
1. The Secure Boot chain for UEFI initially mandated that only OS that were signed by Microsoft would be allowed to boot on PCs where SB is enabled. This was partially rolled back after public backlash.
2. iOS devices and majority of Android devices already don't allow you to install an alternate OS or distro.
3. Platform attestation proposals like Web Environment Integrity and its Android version.
4. Mandate that every developer must register with and pay an MNC to be able to release any app on their platforms.
Basically, they'll just take away your ability to control your device in any way. Don't be surprised if it turns out that these MNCs were behind such legislations. But this legislation is especially dangerous in that it will effectively kill user-controlled general-purpose computing, even from vendors like Pine64, Framework, System76, Fairphone and Purism who are willing to offer those.
Considering the amount of damage caused by these sort of legislative BS, those who propose and vote for such bills should be investigated publicly for corruption, conflict of interests and potential treason. They should be forced to divulge any relationship, directly or indirectly, with the benefactors of these bills. On the other side, rich corporations should be banned from 'lobbying' or bribery more appropriately, in matters that they have a stake in. And they should have stiff penalties for any violations. Not those couple of million dollar slaps on their wrist. At least 5% of their annual global profits, incarceration of top executives and breaking up the company. There has to be a consequence that's uncomfortable enough, for any fairness to be reestablished. This should apply even more for those professional lobbying firms and 'industry advocacy groups'.
People also need to start strongly opposing, rejecting and condemning justifications like this that rely on the cliche tropes of CSAM, terrorism, public safety, national security, etc. None of those measures are necessary or even useful in preventing any of those. Insistence on the contrary should be treated as an admission of inability and incompetence of the respective authorities in tackling the problem. In fact, why do they assume that kids, especially teens, are unimaginative and incapable of working around the problem? They should at least be starting with awareness campaigns to get the kids and the parents on their side and empower parents to enforce parental controls, instead of reaching for such despotic measure right away. This is like banning drugs before the problem of drug addiction is addressed. Black markets exist, even for cyberspace. It will just make the problem a whole lot worse.
And finally, don't let people without clearly proven vested interests anywhere near such regulations. And choose professionals or at least competent people for taking such decisions. You can't rein in this attack on ordinary people without stemming the uncontrolled corruption in the public offices that deal with it.
>> An operating system provider shall [...] provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user [...]
>> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Your hypothetical "embedded system" almost certainly neither has an account setup process in the first place, nor is it a general-purpose computing device, a mobile phone, or a computer.
> Reaction 3: how would this ever be enforced?
Pretty easily? They enforce it against the OS vendor for not providing such a process. They aren't enforcing the correctness of the age, nor are they claiming to.
> Someone needs to maliciously comply, in advance, on all California government systems.
...what? This is a law demanding compliance from OS vendors. Whose compliance is it even demanding in government systems for them to be malicious about it?
This term doesn't seem defined in the law at all. How general is general?
Graphing calculators that support apps and Python? Of course, they don't usually have "accounts" either. But to a technologist it's a "general purpose computer" insofar as it can run new code that the user loads into it, it can definitely run games that it didn't come from the factory with, etc. It's a tiny multipurpose computing device.
Laws in the US aren't taken as literal as in civil law systems. The intent and precedent is what carries much more weight in the end. Graph calculators are unlikely to be tested in court because it's irrelevant with respect to what this law is trying to accomplish.
> Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions
They can outlaw you from using those distributions and/or scare the maintainers so there won't be distributions anymore. And if you want to use a desktop computer rent one from an hyperscaler, tied to a credit card and access it from a tablet with age verification. I don't know if I should add /s
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.