Over the past week or so, lots of news have come out about new legislation in the state of California and parallel measures being passed in the state of Colorado, Brasil, this blog post will delve on what these measures do, and how the Ironclad project plans on approaching them.
California’s Assembly Bill No. 1043 Coined the “Age verification signals: software applications and online services” act is a measure passed by the California state assembly that mandates for any operating system, beginning from January 1, 2027, to essentially require age verification for any account created in the system and store it in the form of an age bracket, and to provide an API to eligible applications for querying this information. This age information also affects software distribution in repositories, which must be filtered by age, and affects the availability of said apps for the user.
Penalties in case of non compliance are outlined in the legislation, which state monetary penalties, and other offenses in a user by user basis, with up to $2500 of fine per affected child. These penalties make it impossible to ignore.
Similar legislation is being proposed or has passed in other countries or states, like Colorado’s SB26–051 “Age Attestation on Computing Devices”.
The goal is allowing eligible apps to modify their behaviour according to the age bracket of the user. For example, by disallowing the use of adult-only apps to a underage user, or allowing a browser like Firefox or Chrome to enable or disable safe-search based on this data.
It is unclear at this moment what constitutes an operating system under the legislation and how this affects embedded operating systems or industrial uses.
Ironclad as a project consists of several moving parts that are affected differently.
Ironclad as a kernel does not constitute an operating system, and is not usable by itself or distributed as a self contained operating system, in this aspect it is no different than a library. Additionally, these age checks are completely implementable in userland and require no kernel support, and are the responsibility of the operating system, not the kernel provider, so Ironclad would need no changes.
If these kind of measures require things like banning execution of restricted
apps from syscalls like exec based on age, then Ironclad would need to be
modified to accommodate that, possibly by bolting on these age checks to the
Mandatory Access Control (MAC)
system we already have.
Gloire, our reference distribution,
constitutes an operating system, and would need this functionality implemented,
possibly in the form of a library programs will be able to use and that the
user login programs like login or session managers like slim can wire into.
Additionally, Gloire provides package management with its official repositories
and xbps. This package management would need to be overhauled to add age
ratings to the apps and libraries that can be downloaded, and filtering would
need to be done depending on the age of the downloading user. Possibly, access
to certain apps would need to be restricted depending on age.
Gloire, like many other UNIX-likes, does not have a centralized account infrastructure, this would pose massive issues if these measures are to be implemented by the letter of the law. There is a lot of talk in other OSes like Linux or FreeBSD of implementing a common library to approach these issues, we are very similar in these regard, so we would be able to use these hypothetical solutions.
These libraries and applications are suitable for users of all ages and thus will not need any modifications. The age gating and download gating is done by the operating system and not the app, so they would remain untouched.
I expect these legislations to spread around the world in short order, which means that operating system providers must address these measures head on instead of banning the use of our products in California and Colorado only, as that would be only a partial and temporary solution.
What’s worst, I’m not sure how this improves anything for our children. Browsers already had mechanisms like safe search gated behind their own account system, explicit websites can be gated by law too like other states already do.
I’m not convinced kids downloading DOOM from the distro package manager will
lead to them becoming psychopaths. If this year taught anyone anything is that
the single biggest risk to a modern child is being close to a
politician, the US isn’t passing laws or convicting people for that. Why is the
threat of kids downloading libz on their package manager so great to their
politicians?
It is also an attack on the user’s privacy, which now requires to report personal information to the system for storage outside their control, and in a future its very easy to imagine requiring this information to be cross-checked with a government-controlled database, or requiring a phoning back of this information, or requiring an AI-powered age check to verify the age inputted by the user is correct, which comes with a lot of safety and privacy concerns. It does not require that now with this legislation, but once you give your info to the OS, its up to it to change its mind in a future update.
It remains to be decided what we do, this legislation is extremely vague and requires a lot of finessing and explaining as to know exactly what to do. If by any miracle only California and Colorado do this, I will be extremely happy to prohibit use of Gloire in these two states and move on with my life, my fear is that it won’t stop there though.
We also don’t have a strong legal team to help navigate this situation, so for now what I think we will do is wait to see the lead of other bigger operating systems like Ubuntu or SUSE, and take from their path whatever we can. We have until the 1st of January of next year to have decided on a solution, so we are not in a rush just yet.
I will edit this blog post as new information comes out and what we do becomes clearer with Linux distributions like Ubuntu and Fedora setting a precedent for us. Please stay in the loop about the changes done to your personal use operating systems.