Think of the children: Linux community against age verification

Contents

Simpsons fans know the scene from season 8, episode 18: Helen Lovejoy emphatically points out that one absolutely must think of the children – in English, "Won't somebody please think of the children?". The saying has since become a meme, and many users in the Linux world are quoting it particularly often these days. Because something is brewing. Colorado and especially California have stipulated in recently enacted laws that "providers of operating systems" must in future offer an age verification mechanism. It will be activated as soon as someone creates an account on the respective computer. Because trust is good, but control is better, California additionally stipulates that the system must compare the entered data with public databases during registration. The law is not yet concrete, but Governor Newsom has already announced changes and expansions.

The Linux world faces a dilemma with this farce. Microsoft, Apple, and Google (for Android) can be forced to incorporate such queries into their operating systems with relative ease. The situation is different in the Linux world: Who is an "Operating System Provider", as the Californian law calls it? For Red Hat, Canonical, and SUSE, this question may still be answerable. But what about pure community projects like Debian or Linux Mint? Debian is not a legal entity in the USA, neither as a foundation under American law nor in any other form. The project has always been a "meritocracy", where those who actively contribute gain influence. It is almost impossible to name a contact person who could take care of setting up such a function. Anyone who knows the Debian community can easily imagine that the developers view the Californian law – to put it mildly – with disapproval.

In the various forums and mailing lists, things are currently heating up regarding age verification. The spectrum of discussion reflects the full breadth of society. Some participants offer concrete technical suggestions that Debian could use for such a function. Others strictly reject its implementation. Still others see the Californian law as easily circumventable nonsense that is primarily intended to restrict the freedom of regular computer users. To understand these opposing positions, a closer look at the individual standpoints is helpful.

Pragmatism over Idealism

First, there is the faction that approaches the matter pragmatically and wants to implement the function in Linux. Specifically, there is a proposal to implement an interface for age queries in D-Bus. The plan is as follows: D-Bus is to be extended with a definition org.freedesktop.AgeVerification1, which can connect to government services via plug-ins in the backend. Programs, such as the user registration tool, would then access this interface. The new interface is primarily intended to be appended to the existing D-Bus standards for the AccountsService function. Aaron Rainbolt's proposal goes deep into technical detail. It describes how the age check is to be handled, where on the system it should be noted which user has which age, and how the system protects this data from unauthorized access – namely, by belonging to the system administrator "root". This is intended to create a balance: on the one hand, to comply with legal requirements, and on the other hand, to prevent one's own computer from becoming an extension of the executive branch. However, Rainbolt's proposal did not generate much enthusiasm.

The mildest criticism of the proposal concerns the practical benefit of the entire measure. It is, according to the prevailing opinion in many places, not possible to meaningfully implement youth protection through state control on end-user systems. The Californian law merely serves to shift responsibility for violations of youth protection regulations from service providers to households. Because, according to the credo: If parents allowed their children access to a computer that they were not actually allowed to use due to their age, the parents would bear the responsibility – not the state and not the service providers. However, this is precisely what will happen in droves, largely without any consequences, thus rendering the law's purpose absurd.

Necessary in California, illegal elsewhere?

Other participants in the sometimes heated debates argue that a distribution like Debian could not implement such functionality without the system simultaneously becoming unusable in other parts of the world due to legal violations. Whether the age verification regulation applicable in California and Colorado is compatible with European regulations is at least questionable. Then Debian & Co. would be in an impossible situation: they would have to make verification mandatory in California but deactivate it in other parts of the world. Anyone who has ever tried to reliably determine a computer's location based on objective criteria knows how complicated that is. The simplest method would be to rely on the user's input when installing the location. But then the entire concept would be obsolete. Because anyone who doesn't want to bother with age verification could simply specify another country where such regulations do not exist, thus circumventing the verification. The EU is also working on comparable regulations to ensure better youth protection on the internet.

Far from these positions, there are countless extreme views in every direction on the internet. Some see the end of the world near and the mandated age check as a tool for abolishing fundamental rights. If a program is widely available on computers that can be used to restrict access to certain content, someone will misuse it sooner or later. This may be an exaggeration. However, in light of the technical developments of recent years, it is certainly worthwhile to think about the issue of fundamental rights in this context. All hardware manufacturers today place great importance on building Chain-of-Trust constructs that can prevent the execution of certain code – Secure Boot is an example. It is by no means impossible to further develop these tools so that they can be used to gain control over end-user devices and the content they consume. The introduction of mandatory age verification is seen by some as a harbinger of such efforts, disguised under the guise of youth protection – "think of the children" in its purest form.

Absolutely Not

The opinion that the problem is none of Debian's business must not be missing from the canon of opinions within the Debian community. On the one hand, it is not an "Operating System Provider" because it is not a legal entity and no one can hold the project liable, neither in the USA nor elsewhere. On the other hand, any attempt to solve social and educational problems through technology is futile anyway. Because, in particular, Debian's characteristic of being based exclusively on free software prevents any such approach from the outset. In the USA, free software is also considered free speech according to US federal courts. One cannot forbid a developer from publishing free software, and thus every user has the opportunity at any time to completely remove youth protection functions by modifying the code. This also makes the sometimes-held view that Debian should simply prohibit the use of its Linux distribution in California and Colorado superfluous. A step that many in Debian would hardly agree with, as it would clearly violate the principles of free software. Last but not least, the Debian Free Software Guidelines (DFSG) explicitly prohibit discriminating against or favoring a particular group of users.

Conclusion

One might get the impression that the debate surrounding mandatory youth protection catches the classic community distributions off guard. Using the Debian project as an example, it is clear that they have neither the infrastructure nor the intention to comply with such regulations. How the contradiction between desire and reality will ultimately be resolved is currently not foreseeable. It currently seems unlikely that Debian will actually implement comprehensive functions to comply with the law that comes into force in California in January 2027. Especially in light of the fact that the EU is planning similar regulations, interested users and developers alike would do well to at least continue to follow the ongoing debates.

(afl)