Age Verification for Qubes OS and Whonix (among other Linux Distributions)

These are active, ongoing discussions on the Qubes OS and Whonix Forum with various external references to forges, mailing lists, and MediaWiki instances of other Linux distributions across the Internet.

Related

Thank you for the link, I shared it in the Qubes OS Forum topic and provided attribution to your contribution.

What a disaster. People making laws with no concept of the implications.

I will continue to provide updates to this topic as the Qubes team and Encrypted Support LP work (together) on developing a solution to address this issue.

Well that’s… interesting. I am more open to age verification on algorithmic social media only than others on here, depending how it’s implemented, but I don’t know why you would want an OS based limitation logs age brackets.

“(b) “Age bracket data” means nonpersonally identifiable data derived from a user’s birth date or age for the purpose of sharing with developers of applications that indicates the user’s age range, including, at a minimum, the following:

(1) Whether a user is under 13 years of age.

(2) Whether the user is at least 13 years of age and under 16 years of age.

(3) Whether the user is at least 16 years of age and under 18 years of age.

(4) Whether the user is at least 18 years of age.“

We would hope linux devs are only requesting the minimum, at which point the 17 year old can select 4 and no one gets fined… Then every application in the official repositories gets this information for some reason? Having every application know it’s talking to a very honest 12 year old is safer somehow? If the 12 year old is smarter than me and learns how to compile programs before they’re in they’re multiple decades old, will that bypass it?

Maybe the intent is to make it so that the profile on a tablet is set up with an age bracket, and then, even if the profile has access to google play, California can ban them from downloading tiktok? That would be similar to a child profile with gated content, except California gets to decide what’s on it instead of the parents.

It seems like this will be limited impact on linux in any case. Fedora already knows I’m probably older than 17. The risk is maybe future expansion, like requiring applications to check the age category and declaring other applications black market applications, or punishing the kids who lie about their age like with tobacco and alcohol.

Also shared accounts are exempt:

“(g) This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains.”

Overall it seems unnecessary when devices can already be locked down by the parents. They could have made child user a required type of user account instead, where the parents must manually approve new applications, to make it less confusing for parents to set up.

Am I misunderstanding anything?

Per Tom’s hardware

These small distros lack legal teams or resources to implement the required API, so a more realistic outcome for non-compliant distros is a disclaimer that the software is not intended for use in California.

Sounds like the cancer warning on everything.

On a side note, they need to start requiring qr codes to gov websites so I can find what the actual problem is with stuff like pliers. Like, no I’m not licking the pliers and I wash my hands before I eat.

The Kicksecure Wiki’s Age API page has been updated multiple times throughout the last day from concerns arising from the Whonix Forum:

@adrelanos has provided an important moderation post regarding the Whonix Forum topic:

Nothing official from the Qubes team, at least not collectively.

Been hearing all the rubbish about the laws from CA, CO, NY. Some parts of the internet are calling this the death of private Linux, and apparently some are even hoarding Linux isos.

Others, like some leaders on the Fedora Project, have figured that while minor tweaks will be needed its largely a nothing burger.

So is this a big deal? Is this the twilight of private linux? Or is this a situation where the cart has gone before the horse? I’m looking for an actual answer to this; I’m wondering if the PG staff have any commentary on this?

Linux distros intending to make money in California need to be worried. Everybody else can say “Not intended for use in California”.

Yeah but… doesn’t that include fedora? And everyone downstream? And whonix and secureblue wanting to keep CA? Seems like a lot of people could be impacted outside of CA, or even USA

I am not your lawyer. Ubuntu posted an official response saying they have no plans at the moment to implement it. And they also have not your lawyers.

TL; DR: it’s a nothing burger making headlines.

People who call this and similar legislation the “end of open source” remind me of those doomers who think GenAI is the AI iteration that is sentient and self aware that will rise up against us. People need to read up on history, specifically how encryption algorithms were illegal to export outside of the United States during the cold war. I hope we never get back to a place where we’re debating if algorithms and code are speech and we have a government willing to enforce violence over it. But even when that happened, there were plenty of creative ways to exchange ideas when a government tried to lock things down. Now that encryption is everywhere it’s almost impossible to stop private free exchange between people without tearing down internet lines.

The government only has real leverage applying these rules to for-profit companies distributing their open core versions of Linux. I’m not sure if those sponsoring these bills are doing so for optics to flex to their constituents they are “keeping kids safe" or “stopping guns from being printed" or if they genuinely don’t understand how little these types of policies work on the internet. Maybe they believe in the apparent success of DMCA, which had more to do with people enjoying the convenience of early streaming services rather than people fearing the law. As streaming services enshittify, sharing copyrighted materials freely is back in vogue. Whatever the reason though, it doesn’t actually “kill” all of open source - whatever that is intended to mean.

One of the big concerns I’ve heard people say is that it may just be a couple states now, but eventually it will become standard everywhere or it becoming a law that mandates only government verified code is legal to run on computers.

You can play out quite a few scenarios here but I don’t see a world where any government can truly enforce policies that could end open source. It’s similar to the folly of governments trying to stifle free speech, it only moves it to the shadows. I believe the age checks legislation will actually just cause more issues for Microsoft and MacOS. For those companies that build on Linux like Red Hat, System76, and Canonical, the open nature of the code makes malicious compliance too easy.

Canonical already has Ubuntu source code out in the open. Any code they add can easily be removed, especially if it’s well labeled in the commit history. It wouldn’t be a lot to imagine some mystery maintainer familiar with the project makes a replica of the compliant operating system with a version of the code that simply doesn’t have that code and sits in a package url that looks similar to canonicals. You get the gist.

Your topic has been merged into mine out of chronological order, but you can find answers to your questions in the Kicksecure Wiki’s Age API page above your post, especially on how much importance the Linux ecosystem is addressing the issue, if any. For example, MidnightBSD has updated the COPYRIGHT file in their GitHub repository:

This problem is not just a Linux, Qubes or desktop OS problem. GrapheneOS has a thread discussing the problem.

For now it’s just an age API with self declaration by users and four age brackets, and IMHO if that is all the bullshit that operating systems had to comply with it wouldn’t be a disaster. However that is naive. I think the rulers are just introducing benign laws first. Complying with this, combined with the prior age verification compliance, would set the momentum for further compliance with more authoritarian laws in the future, not stopping until the rulers have control over everyone’s digital lives.

I naively imagine each OS project or part thereof could respond in one of the ways below. Not necessarily mutually exclusive.

1. Comply exactly as the rulers demand.
2. Ban people in affected jurisdictions from using the software and hope that people will find a way to circumvent the ban.
3. Claim no need to comply because they don’t operate in affected jurisdictions. This assumes the premise is true. If the premise is false, make it true by shifting operations away from affected jurisdictions.
4. Do nothing. Pretend the new laws don’t exist.
5. Shift to anonymous and decentralized methods of development and distribution to evade the new laws.

System76 disagrees with the new laws but has chosen to comply, and there is discussion in the Debian community to comply (approach 1). MidnightBSD is taking approach 2 for now. GrapheneOS has floated approach 3 but AFAICT have not yet decided anything. One post from GrapheneOS is this.

We’re under no more obligation to filter the internet for California than we are to do it for China. Neither blocks access to the GrapheneOS website or services. If California wants to block access to those then they’re welcome to pass a law implementing their own Great Firewall. The most action they could get from us is replacing Los Angeles and San Jose servers with Las Vegas or Seattle.

Right, that Flarum thread has been referenced in the Qubes OS Forum topic:

@adrelanos has provided additional references to various GitHub pull requests towards other operating systems (Arch Linux and Ubuntu) deriving from the original XDG desktop portal pull request:

Tails has started a GitLab issue about the age verification requirement as hinted by @adrelanos (and referenced by @tokaso80 in #79 of the Qubes OS Forum topic):

Exactly. What you describe is called “boiling the frog” and a well established tactics to fool someone.

@adrelanos has provided an update on the Whonix Forum:

One of the multiple references was this Mastodon post from Carl Richell at System76 addressing both the California and Colorado bill:

The claim is that there is a possiility of open-source software being excluded from future bill amendments.

In addition, there is an Ageless Linux distribution based on Debian specifically targeting the legal language of AB 1043:

I just want to say I liked Midnight BSD’s response to this the best.

Sometimes you gotta use the R word, especially when it is actually and objectively warranted.