California's Age Verification Law is GOOD, Actually
If you get your headlines from tech YouTubers or enthusiast forums, you are probably outraged by the new California "age verification" law at the "operating system level" that will "even affect Linux!"
I read this law months ago before it passed and thought it was very good. Even if this law didn't exist, I would still want operating systems, including Linux, to implement the proposed changes.
The law has issues, maybe even fatal issues, but not with respect to privacy or censorship. In fact, I argue if people sober up and get behind this law, it could save online privacy and the open web.
Read on to see the truth. Or read the law itself to make up your own mind. It's really not long, and I am also not a lawyer.
My mockup for a hypothetical complying prompt. Oh, the horror. Available under CC0 1.0
It is NOT age verification
Calling this an "age verification" law is already wrong, despite what it's titled. Nowhere in the law is any party required to verify the user's age.
What the law requires is for operating systems to provide a UI for new users to indicate their age or birthdate (or both). It should be called an "age indication law".
1798.501 (a) (1) [An operating system provider shall] provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
Notably, the OS doesn't verify that the indicated age is real. There is no requirement to check ID, biometrics, or anything. The account does NOT need to be an online account.
Privacy-conscious users could spoof generic adult value, like 2000-01-01, and use their computer unrestricted and unidentified.
Apps won't see your age
The OS is only required to provide apps with a user's "age bracket data". This is even more generic than birth date or even age itself.
1798.501 (a) (2) [An operating system provider shall] provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
© At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
A privacy-conscious OS could comply by merely signalling which of these 4 buckets the user falls in. In other words, all adult users appear identical.
Incentives to keep data private
Worried that this law is handing free data to random apps to do nefarious things with? Well, the law basically forbids just that:
1798.501 (b) (4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:
(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.
(B) Share the signal with a third party for a purpose not required by this title.
So app developers can't request more information than necessary, and can't share the information with third parties unless required somehow by this law.
This law also disincentivizes performing more invasive age verification. Imagine if the law punished app developers for serving age inappropriate content to minors because the age signal was false -- they might demand to see your ID just to be safe. Luckily the law accounts for this:
1798.501 (b) (2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
Thus app developers can safely assume the OS age signal is accurate.
A similar safeguard is given to the OS provider:
1798.503 (b) An operating system provider or a covered application store that makes a good faith effort to comply with this title, taking into consideration available technology and any reasonable technical limitations or outages, shall not be liable for an erroneous signal indicating a user’s age range or any conduct by a developer that receives a signal indicating a user’s age range.
This effectively means app developers and OS providers can stop worrying about whether the user is the appropriate age for certain content. They can just trust the user's indication of their age bracket.
Why this law could save the web
I don't want to live in a world where I'm required to identify myself to access software and content because of laws meant to "protect children". Such legislation is already in effect or quickly approaching all over the world.
At the same time, some content is just inappropriate for kids. The status quo where every app either prompts their own "are you over 18?" button or requires your ID is not acceptable either. The political will for something better is real among voters, not just a top-down Orwellian conspiracy.
This California law was written with these concerns in mind, and it strikes a good balance. I see it as kickstarting the state of affairs that I want to see anyway: A standard interface for apps to self-filter content based on the user's age bracket, which is handled fully offline and is easily spoof-able by advanced users.
Being relatively "early to market" in the US, this law could diminish demand and justification for dramatically worse laws like KOSA. Why mandate ID collection on every website if we have a perfectly good age-gating system already?
Assuming, of course, the law isn't repealed after all the performative backlash.
Conclusion
The law has some issues. 1798.501 (b) (1) strangely requires all apps to query the age bracket information upon install, even if they don't need it. It's also not clear whether servers will be affected, which may be "general purpose computers" under this law. It also has free speech considerations, as it is essentially compelled speech on the view that operating system code is speech.
I wouldn't blame anyone for opposing the law for legitimate reasons like these. But the mainstream outrage I see is false alarmist nonsense.
Hopefully the conversation can shift towards a good-faith effort to implement the new signal, because it is a good idea even if the law requiring it went away.