In the face of new legislation in the state of California and parallel measures passed or in the process of being passed in the american state of Colorado, Brazil, and others, this post delves on what these measures do, how Ironclad is affected by them, and how the Ironclad project plans on approaching them.
Bill No. 1043 Coined the “Age verification signals: software applications and online services” act is a measure passed by the California State Assembly that mandates for any operating system, beginning from January 1, 2027, to essentially require age attestation for any account created in the system, and store it in the form of an age bracket. This bracket would then be provide with an API to eligible applications, with the goal of altering their behaviour based on this information. This age information also affects the software that the user is able to run or install, among others.
It is important to note that this measure requires age attestation, but not age verification. The user can lie about this age and the operating system would be none the wiser.
It is unclear at this moment what constitutes an operating system under the legislation and how this affects embedded operating systems or industrial products.
Penalties in case of non compliance are outlined in the legislation, which state monetary penalties, and other offenses in a user by user basis, with up to $2500 of fine per affected user.
Similar legislation is being proposed or has passed in other countries or states, like Colorado’s SB26–051 “Age Attestation on Computing Devices”.
Ironclad as a project consists of several moving parts that are affected differently.
Ironclad, as an isolated kernel, is not usable by itself or distributed as a self contained operating system, in this aspect it is no different than a library. The age attestation is completely implementable in userland with no kernel support, and is legally the responsibility of the operating system, not the kernel provider, so Ironclad would need no changes.
If this kind of measures end up requiring banning execution of restricted
apps from syscalls like exec based on age and not only from UI app listings,
then Ironclad would need to be modified to accommodate that, possibly by
bolting these age checks to the
Mandatory Access Control (MAC)
system we already have.
Gloire, our reference distribution,
constitutes an operating system, and would need this functionality implemented,
possibly in the form of a library programs will be able to use and that the
user login programs like login or session managers like slim can wire into.
Additionally, Gloire provides package management with its official repositories
and xbps. This package management would need to be overhauled to add age
ratings to the apps and libraries that can be downloaded, and filtering would
need to be done depending on the age of the downloading user. Possibly, access
to certain apps would need to be restricted depending on age.
Gloire, like many other UNIX-likes, does not have a centralized account infrastructure, this would pose massive issues if these measures are to be implemented by the letter of the law. There is a lot of talk in other OSes like Linux or FreeBSD of implementing a common library to approach these issues, we are very similar in these regard, so we would be able to use these hypothetical solutions.
These libraries and applications are suitable for users of all ages and thus will not need any modifications. The age gating and download gating is done by the operating system and not the app, so they would remain untouched.
These legislations are a bit of a nothing burger so far. As far as this is concerned, these age attestation checks are completely useless and easily bypassable by any underage user. As a child myself I’ve lied about my age online many times, I’m sure today’s youth will also do it.
What’s scary about these measures is that one can very easily imagine a world where they are used as a stepping stone for more invasive methods for age verification. Once the underlying mechanism is established and used, it should be fairly easy for these governing bodies to enact laws that mandate for this age to be fetched from a scanned ID instead of user input. Given how blatantly useless the current legislation is, I cannot imagine this not being the plan, otherwise why even bother.
Regardless of what I think, I expect these legislations to spread around the world in short order, which means that operating system providers must address them head on instead of banning the use of our products in California and Colorado only, as that would be only a partial and temporary solution.
It remains to be decided what we do, this legislation is extremely vague and requires a lot of finessing and explaining as to know exactly what to do. If by any miracle only California and Colorado do this, I will be extremely happy to prohibit use of Gloire in these two states and move on with my life, my fear is that it won’t stop there though as I explained before.
We also don’t have a strong legal team to help navigate this situation, so for now what I think we will do is wait to see the lead of other bigger operating systems like Ubuntu or SUSE, and take from their path whatever we can. We have until the 1st of January of next year to have decided on a solution, so we are not in a rush just yet.