GrapheneOS refuses to comply with new age verification laws for operating system (opens in new tab)

johnisgood3d ago

Or just not have it at all? What is wrong with parental controls AND parenting? What real issue does this solve?

3 more replies

hulitu2d ago

> it's the only form of "age verification" which can be done in a somewhat privacy respecting way (as in at most leak the age)

could. But Google, Microsoft and Meta do not want to do it this way. They want to sell your personal data, the more, the better.

ymolodtsov3d ago

Ideally, they'd require OS (desktop and mobile) to have an adult mode and a restricted mode (set up by the adults when they buy the device), and then let third-party apps confirm the status (e.g., age) in the latter case. Then you have minimal privacy issues and many parents actually want something like this.

xtiansimon3d ago

> “Most households aren't going to have a separate device for every family member…”

They want us to all to have user accounts and login like well behaved workers. So cute. Little Donald can login for hisself, and doesn’t need mommy to do it for him.

ArtRichards3d ago

Apparently there's been work to expose Meta pushing/funding this, to shift age responsibility from them and force for fine grained age data to be provided to apps.

egorfine3d ago

> Age verification at the OS level makes no sense to me

If taken at face value, sure.

The goal of those age verification laws are not age verification.

TiredOfLife3d ago

Every semi competent os has suppoert for multiple users

izacus3d ago

What are you talking about, most households give personal phones to their children, especially teenagers.

Laptops aren't rare either.

zamalek3d ago

Give the kid a device that is age-controlled. No need for all devices to support it.

bradfa3d ago

I suspect there’s quite a difference between what most people do and what most HN commenters do.

chazeon3d ago

Most CA households may be, but obviously not everywhere

DebtDeflation3d ago

Once you get outside the SV and NYC bubbles, the vast majority of kids do not have their own laptops in the US. Phones, obviously are somewhat more common, but as even you note that's mainly with regard to teenagers - the average 10 year old in middle America does not have their own phone.

nout3d ago

In the meantime systemd already added handling for Age to the system bus. Next step is to add your race, then income, then who you voted for...

crimsonnoodle583d ago

Why? Why should Linux ever implement local laws like this as core functionality? Especially invasive/anti-privacy ones.

If someone wants to introduce an age-verification-ca-module, fine, but not make it core. Yes I understand systemd is not the kernel, but its ubiquitous enough.

That just says to every country around the world; Windows, Mac, and even Linux is on board too, let's make it law also!

I dunno, I always expected Linux to be the last bastion of freedom and not to capitulate so easily.

wormius3d ago

Systemd has always rubbed me the wrong way, and its uptake across all the base distros turns me off, but at least...

https://nosystemd.org/

There are still distros without it, I may have to go to one, since I already jumped Win10 to Cachy for the BS MS is pulling. I was going to go systemd-free but Cachy "just worked" compared to the others in terms of setup. So I stuck with it.

I wish Lennart would just stop already.

handoflixue3d ago

> Why? Why should Linux ever implement local laws like this as core functionality? Especially invasive/anti-privacy ones.

1) It's legally required to sell computers with that OS in certain jurisdictions

2) I presume there is at least one person actually selling said

3) The feature is so trivially easy to bypass that it presents no reasonable privacy threat at this time (IIRC, it's just a numeric field with no validation?)

egorfine3d ago

> Why? Why should Linux ever implement local laws like this as core functionality?

I have no idea.

But they did actually bend over.

dathinab3d ago

> Why?

it's maintained by companies

they have to comply with law

that they are mostly US companies doesn't exactly help either

Muromec3d ago

Finally we can set the evil bit correctly on a kernel level.

That is ok. The writing was on the wall for a while. It is time to let it go. It served its purpose. We might as well start mapping out a way without it in a more serious way out of sheer necessity. I know I am.

https://www.youtube.com/watch?v=nXL-r8deB5o

joe_mamba3d ago

Western tech direction in the last 5 years:

gruez3d ago

If you think that's bad, just wait till you see eastern tech.

https://en.wikipedia.org/wiki/Slippery_slope

enoint3d ago

Nit: introducing a user account field is not the same as the system bus. It’s in ~/.identity and might be absent altogether.

throwawayk7h3d ago

to clear up a misconception for everyone, systemd doesn't do age verification. it just lets you set age restrictions on accounts. It's very sensible.

cmxch2d ago

And for some distros, it’s a CoC violation to question it.

ranger_danger3d ago

> Next step is to add your race, then income, then who you voted for

sophrosyne422d ago

A guess for what's next is not a slippery slope argument, let alone a fallacy.

fsflover3d ago

From your link:

> non-fallacious forms of the argument can also exist.[7]: 273–311

drnick13d ago

I don't see what prevents anyone (e.g., a distro maintainer) from patching that anti-feature out of the source or disabling with with root access. As long as people can control the software running on their machines, which is the idea behind Linux, nothing that people don't actually want will stay in the system.

Systemd shouldn't be foisting this nonsense on Linux users however. I suppose the anti-systemd subset of the Linux community was proven right after all, this is the kind of issue that can end up facing when a huge piece of opinionated software like systemd more or less becomes an indispensable part of Linux.

alexdns3d ago

it was reverted ?

crooked-v3d ago

Someone tried to gaslight the maintainers into reverting it and was rejected.

stego-tech3d ago

Good on them. Devices shouldn't collect any extraneous data by default other than that needed to fulfill a feature a user consciously selects, and that includes this stupid age verification spyware regimes are pushing.

An adult had to pay for the ISP connection; that's the extent of age verification needed. We shouldn't be demanding adults expose their identities to for-profit entities and surveillance states, so much as mandating for-profit companies make parental controls easier to use, more effective, and stopping them from harvesting data on kids in the first place.

Not every corner of the universe needs to be baby-proofed; we just need to build a society where parents are enabled and supported to be parents, rather than outsourcing such a critical role to strangers and/or devices so they can get back to work.

pxeboot3d ago

> An adult had to pay for the ISP connection

In many countries, it is still possible to buy a prepaid SIM without any ID.

stubish3d ago

Fewer and fewer countries. I think none of the countries I've been too where I've purchased a SIM without ID allow that anymore. It is required to try to limit purchase by scam call centers and to enable phone number portability.

AlexandrB3d ago

And if such a country wants to keep kids off of the unrestricted internet they should just ban that practice.

wolvoleo3d ago

So, they can change that if they want.

charcircuit3d ago

Apps requesting an age is not extraneous and there are many legal and safety reasons why an app may collect this information. If the operating system doesn't do it you run into the cookie banner situation where every individual site has to implement a dialog box asking the user instead of there being a standardized way to do it.

Aerroon3d ago

I'll bite: what's the safety reason for an app to ask for age verification?

What kind of apps do you people use that are so dangerous? Does the computer zap you if you misuse the app or what?

stego-tech3d ago

Except the cookie banners are also optional, unless you're using third-party services to collect that data. Don't blame the cookie banner, blame the dozens or hundreds of "partners" that site is using to "process" your data, blame the site owner for building such a travesty of a page that they have so many "partners" in the mix harvesting extraneous info unnecessary for basic functionality instead of building a better, cleaner, leaner, targeted service.

loloquwowndueo3d ago

> An adult had to pay for the ISP connection

Ever heard of free wifi?

stego-tech3d ago

I have! And an adult still has to pay the connection charges to offer that free wi-fi. Or provide the funds for a kid to buy a device to connect to said free wi-fi.

You can go down the rabbit hole as far as you like, but it's to no avail. At some point, an adult has to consciously enable the child to connect to the internet. Full stop.

CqtGLRGcukpy3d ago

GrapheneOS also posted about it on their Mastodon / Fediverse account: https://grapheneos.social/@GrapheneOS/116261301913660830

IAmNeo15h ago

Age verification is stupid, parents the actual parents need to look after their kids and what they're doing on the computer. If I hadn't been able to sit down at my Atari 800 computer with 48 KB ram, as I pleased after school everyday since the second grade, I wouldn't be the person I am today I wouldn't know as much about computers and I would not be a tech savvy person at all. These age verification measures are strong handed nanny type rules and laws that have no place in the household, it is not the government's job to raise children it's the parent's job. You're going to raise a whole generation of dummies.

pull_my_finger3d ago

I wonder how things like computers at the library will work. This whole thing is just so stupid and intrusive. I can't imagine anyone will benefit from this except advertisers, doxxers and Big Brother.

wolvoleo3d ago

You're not really going to be watching porn at the library though, just saying

pull_my_finger2d ago

Age checks certainly won't be restricted only to porn sites. Tons of sites have 13+ ToS like Facebook & the various other social sites, Discord too iirc. The reason people are so adamantly against this proposal is that it ties the machine to a particular identity. So how does a public computer work? If age verification is implemented at the OS level, can we even have public terminals? All those interfaces in stores that are just a website in kiosk mode? Would they be illegally representing end users if it's set as an adult on a master account/login? This proposal is so stupid and poorly thought out it's alarming.

hackinthebochs3d ago

In fact, many libraries have computers sectioned off in semi-private areas exactly for this reason...

h4kunamata3d ago

We expected no less from GOS project.

systemd which was already in hot water over because the problems it creates over service, this was the last drop to get folks dropping systemct altogether.

calgoo3d ago

i wish, but its not easy. So much of the application ecosystem has now been adapted or built around systemd and its other services. While some tools might still work with dbus alternatives, its quite clear that its harder and harder to use linux without it. Gnome is one example where even the dbus replacements wont work anymore. Others will follow; ironically Ubuntu is doing its own thing like usual, using systemd and resolved but not some other parts. However, im not really holding my breath there, as they usually end up adopting the "standard" way; now in the hands of companies like IBM....

I think the only option really at this point is to move over to BSD, but we face other issues like GPU drivers etc. The same people that worry about systemd probably also worry about AI, so if they want to be able to use it, it needs to run locally.

The 3rd option is to move away from general computing, and start building esp32 powered tools, where we can own the fulls stack. Dedicated digital tools for specific purposes. Personally, this sound like the best option, taking into account that we have almost lost the battle for open OS on mobile devices. We need to get away from the giant US corporations for the majority of our computing, and only interact with them when absolutely necessary. A grass roots computing moment basically.

drnick13d ago

This is absolutely the right stance to take against such stupid mandates.

echelon_musk3d ago

How's that gonna pan out with Motorola?

Motorola likely wont sell devices with GOS preinstalled in those regions.

NotPractical3d ago

Wasn't most of the hype surrounding the Motorola partnership based on the idea that you'd be able to get a device with GrapheneOS pre-installed, boosting the legitimacy of GrapheneOS as a competitor to Google Android? Sure, "GrapheneOS adds several more supported devices" is cool and all, but it's not nearly as exciting...

estimator72923d ago

If Motorola have a problem with it, they obviously aren't the right partner for Graphene.

Graphene obviously won't want to partner with a company that immediately bends over backwards for this kind of puritanical nonsense.

Motorola wont break the law. They just wont sell preinstalled devices, if preinstalled devices was even on the table for 2027.

izacus3d ago

Motorola will obviously have a problem with violating the law in several US states.

Like, what's unclear here? Do you seriously say that corporations should just ignore laws which they don't like?

raverbashing3d ago

More likely they will just add their own age widget themselves

cadamsdotcom3d ago

This is excellent; silly laws on the books should exclude countries from access to things.

Unfortunately it’s not enough because there’s also a need to work to get the laws repealed AND stop the endless attempts to bring them back.

CommanderData3d ago

Will a record be kept associating a device to a person through the verification system?

What's next, browsers sending this to $website every time you need to post a comment on the web.

Svoka3d ago

Seems like a pure virtue signaling: they don't sell or make hardware. It is mandated only for pre-installed operating systems, from what I understand.

crtasm3d ago

They've partnered with Motorola to have it preinstalled on phones, this is in TFA.

Preinstalled devices is not the main goal of the partnership. GOS is ok without having that to start. Motorolas stock OS will still be available.

moffkalast3d ago

Could just ship it along on an SD card with a single button install you do yourself. Technically not preinstalled.

3 more replies

razingeden3d ago

Virtue signal away. I’m with whatever device and OS purveyors are willing to tell these tyrants to get stuffed.

I haven’t cut over to it completely yet but I think this’ll be the last nail in the coffin for my time as an Apple user. It’s already a loveless marriage , it’s already over, I’m already sleeping with GrapheneOS on the side. it’s asking when I’m going to leave her and it’s always “soon, baby. soon.”

As they should, I was personally surprised so many people were surprised come ICE raids that government can buy and track location via apps, advertising and your phone in general. Regular people need an idea, who is.. uhh.. less likely to sell them down the river.

Its a statement for the future. They arent bound to add this now but they could be in the future. They will adapt accordingly to avoid it.

enoint3d ago

The California law does apply to existing OS, right?

idatum3d ago

Can someone catch me up how FB et al are not the ones responsible for age verification?

Is it lack of something similar to PKI for identify verification?

whynotmaybe3d ago

If we go back a few years and analyze the porn magazines that are sold in a gas station, it's not up to the magazine to ensure that the "reader" has the legal age.

So we delegated the responsibility twice, first the gas station attendant must check the age of the buyer and then, the buyer should check the age of any reader.

So now, who's the "gas station attendant" in our situation?

pas3d ago

because there are other sites/apps online too, and it's better to decouple the "obtaining the verification" and the "presenting the verification"

and if sites and apps don't need to be in the loop for this they can't end up leaking all over the 'net

hackinthebochs3d ago

Why would you want every site on the internet to traffic in government IDs? This is by far the least bad out of all possible ways to implement age checking. The benefit of this is that it can short-circuit support for more onerous age verification. The writing has been on the wall for some time now: the era of completely unrestricted internet is coming to an end. The question is how awful will the new normal be? This implementation is a win all around, a complete nothingburger. We should be celebrating it, not fighting it tooth and nail.

The tech crowds utter derangement over this minor mandate is truly a sight to behold.

fc417fc8023d ago

> This is by far the least bad out of all possible ways to implement age checking.

Not quite. The least bad (that I'm aware of) is to mandate RTA headers (or an equivalent more comprehensive self categorization system) and to also mandate that major platforms (presumably OS and browsers, based on MAU or some such) implement support for filtering on those headers.

But sending a binned age as per the California law is the next best thing to that.

OutOfHere3d ago

I think that malicious compliance all the way might have been the better option here. If a birth date is all that is needed, let the user enter a random one. If actual biometric verification is needed alongside, let the user also paste the code to a fake biometric validator that always returns valid.

It is the same philosophy as with an app that forcibly wants an invasive permission to the detriment of the user. Let the app have the permission while in a sandbox so it sees nothing.

Giving in in any capacity is unacceptable. The GrapheneOS foundation is based in Canada and is not obligated to record this information, so they wont. They have no reason to comply, be it malicious or otherwise.

Agreed. This is one of those moments you might as well simply say no. For practical reasons too, your users do have options and tend to be the kind that will drop a distribution if it goes rogue.

Polizeiposaune3d ago

Asking the device owner for the user's birth date is precisely what the (California) law requires.

Biometrics are not required.

The concept appears to be that a parent or guardian could enter the birth date before turning the device over to a child.

Malicious compliance would be providing this age bracket API:

boolean is_user_over_18() { sleep (18 * 365.25 * 86400); return true; }

This is a real-time interface (as required by the law) that takes 18 years to complete. (Remember: "Real-time" does not mean "fast").

ErroneousBosh3d ago

> Asking the device owner for the user's birth date is precisely what the (California) law requires.

Why would anybody bother to implement that?

OutOfHere3d ago

The New York bill specifies a biometric requirement.

WhyNotHugo3d ago

You'd need to closely read the law and have a lawyer advise you, but a neat attempt might be to just ask for the date of birth, send that "in real time" to the App Store program, and then have that program simply discard it?

I don't think current iterations of the law require that this be sent off-device in any way.

Polizeiposaune3d ago

The second requirement of the California law is that there be an API available to all apps that returns the age band a user is in -- one of:

age < 13

age >= 13 && age < 16

age >= 16 && age < 18

age >= 18

A non-maliciously compliant implementation would need to retain a date of birth or equivalent until the user was over 18.

A maliciously compliant API could just wait 18 years after account creation before yielding an answer. (remember folks: "real time" does not mean "fast").

One of the oddities about the way the law is phrased is that it requires the age band information about the user be provided to "the developer" rather than to the application.

endofreach3d ago

Agree. I didn't even think of that. Embarrassing. Your approach might have been the best option.

arbirk3d ago

We are back to printing books, boys

nothrowaways3d ago

Apple should be championing this.

enoint3d ago

They should be proactively marketing the best parental controls on the market.

hereme8883d ago

so... just sell a phone with a script prompts the user to install the OS, and it auto-verifies hashes, can't be bypassed, etc. Is that too simplistic a solution?

I highly doubt that would work but there could be, say, a card in the box with the link to the webinstaller and the webinstaller can be made even easier.

Dylan168073d ago

Having an age setting is not verification.

Having an age setting is not verification.

I hate the articles that lump everything together.

wolvoleo3d ago

No but it is one of the building blocks for a verification system.

Dylan168073d ago

It could be used in one. But it would need so many changes that it doesn't advance that kind of thing by much.

It also gets sites to stop doing their own invasive verification systems.

endofreach3d ago

I know it's gonna be a very unpopular opinion. I do like, appreciate, respect & admire that they are ready to die on a hill. I just don't think it's the right hill. I do not have an issue with the legality of it. Rather I think age verification is actually not bad. Sure i see the potential danger. But there is potential benefits, that'd counter the danger, by a lot.

In different times, i might have argued differently. I'm not saying it's not worth protecting the world you deem worthy of protection. But no matter what that world is to any of you. The one we all share is changing for sure. Uncontrollably fast. And many things are gonna change. And many things won't matter that much anymore, if we actually end up going where we're headed.

I mean a this is just a super small part of it all, but i assume in this specific case, for graphene, it's a battle for privacy... and they're right. But we're still going into a future where we got 5,10,20,30 more years of "AI", even just keeping the same level of overall sophistication for most, but costs decreasing immensely... I don't know about you, but I don't think the ways we protect our privacy can be unaffected, already because we're going to learn all new aspects about which data is private. Just out of practicality. Extreme example: but if generating hundreds of obscene deepfakes of any person as easily as taking a photo with your iPhone... ah, i can't keep having this discussion, i hope i am just an insane moron who is wrong. But, just to be sure: instead of arguing if we should close the windows on the train that's burning, or leave them open, as some are smart and others need help, let's just get off the fucking train.

And yes of course. One might argue (I actually would), we should not start implementing laws like that or start making personal information a requirement to digital access.

But this might be the first step to a different future, or not. As i said, who cares where the train is headed. It's burning and nobody even really wants to be on it. Let's please get off the train.

Not saying the battle is lost. I have tried working on something because I still have great hope. But someone seriously must act. I tried, getting off the train. Or at least start standing up from my seat. Realizing it's not that easy to get off. It's embarrassing, but i can't even get off the train by myself... i tried anyway... but here i am, sitting again (currently on the floor, lost my seat, damn...)... i have been building something for the past 2 years. Well, trying to build something, an attempt to change course... ruining my life over it. And currently i failed, before i even got to a point where my prototype or any of the theoretical work even remotely represents the vision. But maybe i just learned, i was wrong about all of it. I hope i'll make it back being able to afford working on it and someday a way to make enough money to pay smarter people than me to join. But currently, it's insane for me for me to even dare dreaming about that. I have really dug myself a hole. Next time, it should at least be a hill...

So in the meantime: can people like the dudes & dudiñas from graphene please chose a wiser battle. If just some of all these people got together & worked on getting off the train, instead of working on things that seem meaningful now, but wouldn't even be considered worthy of being mentioned in the future... we'd have a shot.

Damn. I still just can't accept it, even though i've literally lost everything believing that. And i am ashamed so deeply believing in what i saw, and in friendly moments still see, as a future... thinking i could change it, without changing myself... but please god, in the end, let me not have been just bonkers, but convicted.

(As if that, would be, any different).

I appreciate the thought, but I personally disagree having seen the patterns of the past 2-3 decades. There is zero real benefit to it save powers that be. Honestly, the only reasonable move forward is non-compliance. Everything else results in steady inching towards full blown panopticon ( and some would argue that we are already there ).

https://grapheneos.social/@GrapheneOS/116261301913660830

GOS is not going to compromise on user privacy and security. This is not a technical problem, it is a social one where parents refuse to do what they should have done from the start. The internet is not for kids. Presuming users to be guilty until proven innocent is unacceptable. Making mechanisms to obtain user data, even if it is completely and perfectly functional and achieves what it sets out to do, risks malicious parties obtaining that information. The only way to win the game is not to play, to not ever provide that data, and children shouldnt be playing the gane in the first place.

mmooss3d ago

The GrapheneOS Mastodon post says,

"GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account."

That raises the issues that GrapheneOS needs to solve, which may require more creativity than bold, somtimes combative statements.

If GrapheneOS doesn't comply with laws and regulations then they will sometimes be banned or restricted. If that happens, they may not be "usable by anyone around the world" for long.

That doesn't mean they have to capitulate or sacrifice security. They can find creative solutions, some of which are suggested here. The first step is to carefully read the spec to determine what is necessary, then talk to someone like the EFF, and find a way forward.

test7rocks3d ago

Better would have been a statement "If GrapheneOS devices can't be LEGALLY sold in a region due to their regulations, so be it." . I hope that is what they meant, leaving open the possibility they'll have a secret drone delivery squadron bringing GrapheneOS phones in to Brazil and other equivalent places.

Also it would be nice if, where Graphene has partnered with hardware manufacturers, then said hardware sellers could issue a statement like "$Manufacturer promises that in regions where GrapheneOS is illegal we'll leave the bootloader unlocked, if users choose to break local legislation then that is on them" and furthermore a statement like "$Manufacturer fully swears on all honour possible that in any regions which ban unlocked bootloader devices then, oops, we found that if you short pins 3 and 8 of the third chip on the left together at any time during booting you'll permanently unlock the bootloader and absolutely nobody is allowed to know that. Which is why we've posted this on every social media channel. Afterall, all our users need to know that they're not allowed to know that the bootloader can be unlocked by shorting pins 3 and 8 (third chip on the left) with anything less than 20 ohms (nobody must know that a paperclip would do for this)".

Nonetheless: Well done GrapheneOS!!!!!!!

notrealyme1233d ago

The problem is the spirit of the law, not the word.