Age verification at the OS level makes no sense to me. Most households aren't going to have a separate device for every family member and so you will end up with a tablet or computer set up by one of the parents (and thus having their age stored) that will be used by both parents and children. Likewise, people generally won't create a separate account for every potential user.
> Age verification at the OS level makes no sense to me.
it's the only form of "age verification" which can be done in a somewhat privacy respecting way (as in at most leak the age)
the idea is to "bounce back" the "is old enough" decision to parent controls and let the parent choose (the Californian law doesn't quite do that perfectly, but goes into that direction)
and if you sell what is more or less a general purpose compute/internet access device with OS (which I do include phones into) I think it's very reasonable to either sell it to adults only (with a disclaimer it's "not for children") or include
proper parent controls
> Most households aren't going to have a separate device for every family member
in current times in the west it is very very common for many devices to be for one person only. Especially phones, or at least have different (OS) accounts.
but again this comes back to "parent controls", weather that is for a child (OS) account or a way to switch from a child profile to a adult profile doesn't matter
but in the end, the point of such laws should be to give parents tools to parent. As well as handling the case of parent acting in neglect by inaction. But if a parent intentional decides to give their children a device with their profile because they think it's fine than that should be their choice and responsibility.
> Likewise, people generally won't create a separate account for every potential user.
where it was possible I have not seen it not used, weather it's on a switch, gaming console or PC. It is the most convenient way of automatically separates logins, browsing history, game safes etc.
and the law als isn't made for that shared computer in the living room (through it will apply there). It's more about the devices children might use unsupervised, e.g. their phone.
I frequently see comments which would have made sense in the past (e.g. early 2000th) but kinda aren't fully reflecting reality anymore
it's as if humans have a tendency to make up their mind/world view in their younger years and then tend to kinda stick with it/only change it slowly as long as no big live changing events happen
Why? Why should Linux ever implement local laws like this as core functionality? Especially invasive/anti-privacy ones.
If someone wants to introduce an age-verification-ca-module, fine, but not make it core. Yes I understand systemd is not the kernel, but its ubiquitous enough.
That just says to every country around the world; Windows, Mac, and even Linux is on board too, let's make it law also!
I dunno, I always expected Linux to be the last bastion of freedom and not to capitulate so easily.
> Why? Why should Linux ever implement local laws like this as core functionality? Especially invasive/anti-privacy ones.
1) It's legally required to sell computers with that OS in certain jurisdictions
2) I presume there is at least one person actually selling said
3) The feature is so trivially easy to bypass that it presents no reasonable privacy threat at this time (IIRC, it's just a numeric field with no validation?)
There are still distros without it, I may have to go to one, since I already jumped Win10 to Cachy for the BS MS is pulling. I was going to go systemd-free but Cachy "just worked" compared to the others in terms of setup. So I stuck with it.
That is ok. The writing was on the wall for a while. It is time to let it go. It served its purpose. We might as well start mapping out a way without it in a more serious way out of sheer necessity. I know I am.
I don't see what prevents anyone (e.g., a distro maintainer) from patching that anti-feature out of the source or disabling with with root access. As long as people can control the software running on their machines, which is the idea behind Linux, nothing that people don't actually want will stay in the system.
Systemd shouldn't be foisting this nonsense on Linux users however. I suppose the anti-systemd subset of the Linux community was proven right after all, this is the kind of issue that can end up facing when a huge piece of opinionated software like systemd more or less becomes an indispensable part of Linux.
Western surveillance tech is superior because it gives you the option to choose your gender on a fluid scale when they're vacuuming your private data, whereas backwards eastern tech limits you to only male or female.
Good on them. Devices shouldn't collect any extraneous data by default other than that needed to fulfill a feature a user consciously selects, and that includes this stupid age verification spyware regimes are pushing.
An adult had to pay for the ISP connection; that's the extent of age verification needed. We shouldn't be demanding adults expose their identities to for-profit entities and surveillance states, so much as mandating for-profit companies make parental controls easier to use, more effective, and stopping them from harvesting data on kids in the first place.
Not every corner of the universe needs to be baby-proofed; we just need to build a society where parents are enabled and supported to be parents, rather than outsourcing such a critical role to strangers and/or devices so they can get back to work.
Apps requesting an age is not extraneous and there are many legal and safety reasons why an app may collect this information. If the operating system doesn't do it you run into the cookie banner situation where every individual site has to implement a dialog box asking the user instead of there being a standardized way to do it.
Wasn't most of the hype surrounding the Motorola partnership based on the idea that you'd be able to get a device with GrapheneOS pre-installed, boosting the legitimacy of GrapheneOS as a competitor to Google Android? Sure, "GrapheneOS adds several more supported devices" is cool and all, but it's not nearly as exciting...
If shipping a specific device configuration to the US is illegal, Motorola should not ship this specific device configuration to the US.
I do not think our parent is suggesting otherwise.
AFAIK Motorola and GrapheneOS are not merging, they are getting into a partnership. They do not have to think or do exactly the same.
Apple can comply with both CCP and US demands at the same time without a problem. I am sure Motorola can adjust their services to the markets they are working in, as well.
Your arguments show a lack of the least imagination, let alone simple reasoning.
There are countless ways to satisfy any regulation while still doing whatever you actually want to do.
The very most obvious is simply sell the device, in the affected areas, with any sort of os that meets the letter of the law in that area.
If it's also easy for the user to install something else once it becomes their property, well that's the new owner's business atthat point, Motorola did their part and complied with everything required.
No one needs to demand a company violate anything. That is just a silly argument to even try to make. Calling people insane for things they never said nor even implied is what's insane.
They are not building a product that cannot be sold in their primary market. They are not designing GrapheneOS devices, they are improving existing devices to meet GOS requirements. There will still be an OEM OS for those devices. Preinstalled GOS devices can simply not be sold there.
This is emblematic of a misunderstanding technologists often have about the law. We try to treat it like code we can exploit and hack around. But there is no compiler deterministically producing outcomes. Of course, this misunderstanding is often bolstered by the accurate observation that lawyers and businesses find loopholes and favorable interpretations that to us appear much like the exploits we propose. The critical element that's often missed, though, is the human one. To get away with an exploit, to have the case law updated to reflect your favorable interpretation, you need power, influence, and alignment on your interests. There are tax "loopholes" now that are commonly used but in a prior era, under the same laws, would have seen you dragged into court and eviscerated. If you tried your cute SD card trick a judge would tear you a new one. If Microsoft tried it, they could maybe talk to the right people before the case and come to an understanding that this little loophole was convenient for dev devices or something, and convince a judge to rule that they could do it, but only if accompanied by some external age confirmation they could self-attest to, with some wording that makes it clear that the trick is only usable by large and well-respected institutions. The law is not an impartial arbiter that you can outsmart. It's the enforcement mechanism for multiple tiers or rules that bind different classes. This age gathering law is a classic moat law. It exists to prevent outgroups from shipping software that's incompatible with this age communication system, and in a business-to-business context serves to establish obligations between ingroup members. Any other clever interpretation of the law will be discarded regardless of specific wording.
You sound like a teenager fighting his parents. "Technically you didn't say WHICH bed I had to be in by midnight!!!!! I was in A bed, I followed the rules!!!!"
Society (mostly) works because we all agree that laws have intents. The wording is crafted as best as possible, and for the rest we have judges to shutdown lawyers trying to be a moffkalast smart asses.
As they should, I was personally surprised so many people were surprised come ICE raids that government can buy and track location via apps, advertising and your phone in general. Regular people need an idea, who is.. uhh.. less likely to sell them down the river.
Virtue signal away. I’m with whatever device and OS purveyors are willing to tell these tyrants to get stuffed.
I haven’t cut over to it completely yet but I think this’ll be the last nail in the coffin for my time as an Apple user. It’s already a loveless marriage , it’s already over, I’m already sleeping with GrapheneOS on the side. it’s asking when I’m going to leave her and it’s always “soon, baby. soon.”
I think that malicious compliance all the way might have been the better option here. If a birth date is all that is needed, let the user enter a random one. If actual biometric verification is needed alongside, let the user also paste the code to a fake biometric validator that always returns valid.
It is the same philosophy as with an app that forcibly wants an invasive permission to the detriment of the user. Let the app have the permission while in a sandbox so it sees nothing.
Giving in in any capacity is unacceptable. The GrapheneOS foundation is based in Canada and is not obligated to record this information, so they wont. They have no reason to comply, be it malicious or otherwise.
Agreed. This is one of those moments you might as well simply say no. For practical reasons too, your users do have options and tend to be the kind that will drop a distribution if it goes rogue.
They are not on an island; they need to function in society. If they want people outside Canada to use GrapheneOS, then they need to comply with local laws.
Maybe they don't care about that. Maybe they just want to make a secure phone OS, as a sort of hobby, and don't care if anyone uses it but themselves. That's ok too.
People who live in authoritarian states like North Korea or California can (and arguably should) ignore the fact that GrapheneOS is illegal where they live and use it anyway.
If you want a privacy-violating OS, there are already two big options on the market. A secure OS for people who do not live in authoritarian surveillance states offers a benefit to some people, even if not all people. A third privacy-violating OS offers no value to anyone anywhere in the world.
You'd need to closely read the law and have a lawyer advise you, but a neat attempt might be to just ask for the date of birth, send that "in real time" to the App Store program, and then have that program simply discard it?
I don't think current iterations of the law require that this be sent off-device in any way.
The second requirement of the California law is that there be an API available to all apps that returns the age band a user is in -- one of:
age < 13
age >= 13 && age < 16
age >= 16 && age < 18
age >= 18
A non-maliciously compliant implementation would need to retain a date of birth or equivalent until the user was over 18.
A maliciously compliant API could just wait 18 years after account creation before yielding an answer. (remember folks: "real time" does not mean "fast").
One of the oddities about the way the law is phrased is that it requires the age band information about the user be provided to "the developer" rather than to the application.
I know it's gonna be a very unpopular opinion. I do like, appreciate, respect & admire that they are ready to die on a hill. I just don't think it's the right hill. I do not have an issue with the legality of it. Rather I think age verification is actually not bad. Sure i see the potential danger. But there is potential benefits, that'd counter the danger, by a lot.
In different times, i might have argued differently. I'm not saying it's not worth protecting the world you deem worthy of protection. But no matter what that world is to any of you. The one we all share is changing for sure. Uncontrollably fast. And many things are gonna change. And many things won't matter that much anymore, if we actually end up going where we're headed.
I mean a this is just a super small part of it all, but i assume in this specific case, for graphene, it's a battle for privacy... and they're right. But we're still going into a future where we got 5,10,20,30 more years of "AI", even just keeping the same level of overall sophistication for most, but costs decreasing immensely... I don't know about you, but I don't think the ways we protect our privacy can be unaffected, already because we're going to learn all new aspects about which data is private. Just out of practicality. Extreme example: but if generating hundreds of obscene deepfakes of any person as easily as taking a photo with your iPhone... ah, i can't keep having this discussion, i hope i am just an insane moron who is wrong. But, just to be sure: instead of arguing if we should close the windows on the train that's burning, or leave them open, as some are smart and others need help, let's just get off the fucking train.
And yes of course. One might argue (I actually would), we should not start implementing laws like that or start making personal information a requirement to digital access.
But this might be the first step to a different future, or not. As i said, who cares where the train is headed. It's burning and nobody even really wants to be on it. Let's please get off the train.
Not saying the battle is lost. I have tried working on something because I still have great hope. But someone seriously must act. I tried, getting off the train. Or at least start standing up from my seat. Realizing it's not that easy to get off. It's embarrassing, but i can't even get off the train by myself... i tried anyway... but here i am, sitting again (currently on the floor, lost my seat, damn...)... i have been building something for the past 2 years. Well, trying to build something, an attempt to change course... ruining my life over it. And currently i failed, before i even got to a point where my prototype or any of the theoretical work even remotely represents the vision. But maybe i just learned, i was wrong about all of it. I hope i'll make it back being able to afford working on it and someday a way to make enough money to pay smarter people than me to join. But currently, it's insane for me for me to even dare dreaming about that. I have really dug myself a hole. Next time, it should at least be a hill...
So in the meantime: can people like the dudes & dudiñas from graphene please chose a wiser battle. If just some of all these people got together & worked on getting off the train, instead of working on things that seem meaningful now, but wouldn't even be considered worthy of being mentioned in the future... we'd have a shot.
Damn. I still just can't accept it, even though i've literally lost everything believing that. And i am ashamed so deeply believing in what i saw, and in friendly moments still see, as a future... thinking i could change it, without changing myself... but please god, in the end, let me not have been just bonkers, but convicted.
I appreciate the thought, but I personally disagree having seen the patterns of the past 2-3 decades. There is zero real benefit to it save powers that be. Honestly, the only reasonable move forward is non-compliance. Everything else results in steady inching towards full blown panopticon ( and some would argue that we are already there ).
That raises the issues that GrapheneOS needs to solve, which may require more creativity than bold, somtimes combative statements.
If GrapheneOS doesn't comply with laws and regulations then they will sometimes be banned or restricted. If that happens, they may not be "usable by anyone around the world" for long.
That doesn't mean they have to capitulate or sacrifice security. They can find creative solutions, some of which are suggested here. The first step is to carefully read the spec to determine what is necessary, then talk to someone like the EFF, and find a way forward.
Age verification at the OS level makes no sense to me. Most households aren't going to have a separate device for every family member and so you will end up with a tablet or computer set up by one of the parents (and thus having their age stored) that will be used by both parents and children. Likewise, people generally won't create a separate account for every potential user.
> Age verification at the OS level makes no sense to me.
it's the only form of "age verification" which can be done in a somewhat privacy respecting way (as in at most leak the age)
the idea is to "bounce back" the "is old enough" decision to parent controls and let the parent choose (the Californian law doesn't quite do that perfectly, but goes into that direction)
and if you sell what is more or less a general purpose compute/internet access device with OS (which I do include phones into) I think it's very reasonable to either sell it to adults only (with a disclaimer it's "not for children") or include proper parent controls
> Most households aren't going to have a separate device for every family member
in current times in the west it is very very common for many devices to be for one person only. Especially phones, or at least have different (OS) accounts.
but again this comes back to "parent controls", weather that is for a child (OS) account or a way to switch from a child profile to a adult profile doesn't matter
but in the end, the point of such laws should be to give parents tools to parent. As well as handling the case of parent acting in neglect by inaction. But if a parent intentional decides to give their children a device with their profile because they think it's fine than that should be their choice and responsibility.
> Likewise, people generally won't create a separate account for every potential user.
where it was possible I have not seen it not used, weather it's on a switch, gaming console or PC. It is the most convenient way of automatically separates logins, browsing history, game safes etc.
and the law als isn't made for that shared computer in the living room (through it will apply there). It's more about the devices children might use unsupervised, e.g. their phone.
What are you talking about, most households give personal phones to their children, especially teenagers.
Laptops aren't rare either.
Give the kid a device that is age-controlled. No need for all devices to support it.
I suspect there’s quite a difference between what most people do and what most HN commenters do.
I frequently see comments which would have made sense in the past (e.g. early 2000th) but kinda aren't fully reflecting reality anymore
it's as if humans have a tendency to make up their mind/world view in their younger years and then tend to kinda stick with it/only change it slowly as long as no big live changing events happen
In the meantime systemd already added handling for Age to the system bus. Next step is to add your race, then income, then who you voted for...
Why? Why should Linux ever implement local laws like this as core functionality? Especially invasive/anti-privacy ones.
If someone wants to introduce an age-verification-ca-module, fine, but not make it core. Yes I understand systemd is not the kernel, but its ubiquitous enough.
That just says to every country around the world; Windows, Mac, and even Linux is on board too, let's make it law also!
I dunno, I always expected Linux to be the last bastion of freedom and not to capitulate so easily.
> Why? Why should Linux ever implement local laws like this as core functionality? Especially invasive/anti-privacy ones.
1) It's legally required to sell computers with that OS in certain jurisdictions
2) I presume there is at least one person actually selling said
3) The feature is so trivially easy to bypass that it presents no reasonable privacy threat at this time (IIRC, it's just a numeric field with no validation?)
> Why?
it's maintained by companies
they have to comply with law
that they are mostly US companies doesn't exactly help either
Systemd has always rubbed me the wrong way, and its uptake across all the base distros turns me off, but at least...
https://nosystemd.org/
There are still distros without it, I may have to go to one, since I already jumped Win10 to Cachy for the BS MS is pulling. I was going to go systemd-free but Cachy "just worked" compared to the others in terms of setup. So I stuck with it.
I wish Lennart would just stop already.
Finally we can set the evil bit correctly on a kernel level.
That is ok. The writing was on the wall for a while. It is time to let it go. It served its purpose. We might as well start mapping out a way without it in a more serious way out of sheer necessity. I know I am.
I don't see what prevents anyone (e.g., a distro maintainer) from patching that anti-feature out of the source or disabling with with root access. As long as people can control the software running on their machines, which is the idea behind Linux, nothing that people don't actually want will stay in the system.
Systemd shouldn't be foisting this nonsense on Linux users however. I suppose the anti-systemd subset of the Linux community was proven right after all, this is the kind of issue that can end up facing when a huge piece of opinionated software like systemd more or less becomes an indispensable part of Linux.
Western tech direction in the last 5 years:
https://www.youtube.com/watch?v=nXL-r8deB5o
If you think that's bad, just wait till you see eastern tech.
That's an interesting topic. Please, elaborate.
Western surveillance tech is superior because it gives you the option to choose your gender on a fluid scale when they're vacuuming your private data, whereas backwards eastern tech limits you to only male or female.
What about not asking for gender when gender is completely irrelevant to the thing that the user is trying to do?
But how would the government know who's writing mean comments against them online without detailed surveillance?
it was reverted ?
Someone tried to gaslight the maintainers into reverting it and was rejected.
This is excellent; silly laws on the books should exclude countries from access to things.
Unfortunately it’s not enough because there’s also a need to work to get the laws repealed AND stop the endless attempts to bring them back.
GrapheneOS also posted about it on their Mastodon / Fediverse account: https://grapheneos.social/@GrapheneOS/116261301913660830
Can someone catch me up how FB et al are not the ones responsible for age verification?
Is it lack of something similar to PKI for identify verification?
Good on them. Devices shouldn't collect any extraneous data by default other than that needed to fulfill a feature a user consciously selects, and that includes this stupid age verification spyware regimes are pushing.
An adult had to pay for the ISP connection; that's the extent of age verification needed. We shouldn't be demanding adults expose their identities to for-profit entities and surveillance states, so much as mandating for-profit companies make parental controls easier to use, more effective, and stopping them from harvesting data on kids in the first place.
Not every corner of the universe needs to be baby-proofed; we just need to build a society where parents are enabled and supported to be parents, rather than outsourcing such a critical role to strangers and/or devices so they can get back to work.
> An adult had to pay for the ISP connection
In many countries, it is still possible to buy a prepaid SIM without any ID.
> An adult had to pay for the ISP connection
Ever heard of free wifi?
Apps requesting an age is not extraneous and there are many legal and safety reasons why an app may collect this information. If the operating system doesn't do it you run into the cookie banner situation where every individual site has to implement a dialog box asking the user instead of there being a standardized way to do it.
This is absolutely the right stance to take against such stupid mandates.
Apple should be championing this.
How's that gonna pan out with Motorola?
Motorola likely wont sell devices with GOS preinstalled in those regions.
Wasn't most of the hype surrounding the Motorola partnership based on the idea that you'd be able to get a device with GrapheneOS pre-installed, boosting the legitimacy of GrapheneOS as a competitor to Google Android? Sure, "GrapheneOS adds several more supported devices" is cool and all, but it's not nearly as exciting...
More likely they will just add their own age widget themselves
If Motorola have a problem with it, they obviously aren't the right partner for Graphene.
Graphene obviously won't want to partner with a company that immediately bends over backwards for this kind of puritanical nonsense.
Motorola wont break the law. They just wont sell preinstalled devices, if preinstalled devices was even on the table for 2027.
Motorola will obviously have a problem with violating the law in several US states.
Like, what's unclear here? Do you seriously say that corporations should just ignore laws which they don't like?
If shipping a specific device configuration to the US is illegal, Motorola should not ship this specific device configuration to the US.
I do not think our parent is suggesting otherwise.
AFAIK Motorola and GrapheneOS are not merging, they are getting into a partnership. They do not have to think or do exactly the same.
Apple can comply with both CCP and US demands at the same time without a problem. I am sure Motorola can adjust their services to the markets they are working in, as well.
Motorola is pretty much only present in US these days, why would they build a product that can't be sold in their primary market?
Demanding that OSes outright violate the law because you disagree with your own elected government is pretty insane.
Your arguments show a lack of the least imagination, let alone simple reasoning.
There are countless ways to satisfy any regulation while still doing whatever you actually want to do.
The very most obvious is simply sell the device, in the affected areas, with any sort of os that meets the letter of the law in that area.
If it's also easy for the user to install something else once it becomes their property, well that's the new owner's business atthat point, Motorola did their part and complied with everything required.
No one needs to demand a company violate anything. That is just a silly argument to even try to make. Calling people insane for things they never said nor even implied is what's insane.
Can't speak about other continents but Motorola smartphones are at least available all over Europe so your initial statement is incorrect.
They are not building a product that cannot be sold in their primary market. They are not designing GrapheneOS devices, they are improving existing devices to meet GOS requirements. There will still be an OEM OS for those devices. Preinstalled GOS devices can simply not be sold there.
We are back to printing books, boys
Seems like a pure virtue signaling: they don't sell or make hardware. It is mandated only for pre-installed operating systems, from what I understand.
They've partnered with Motorola to have it preinstalled on phones, this is in TFA.
Preinstalled devices is not the main goal of the partnership. GOS is ok without having that to start. Motorolas stock OS will still be available.
Let me add that the typical GrapheneOS user will probably prefer to install the OS themselves rather than trust what comes preinstalled.
Could just ship it along on an SD card with a single button install you do yourself. Technically not preinstalled.
This is emblematic of a misunderstanding technologists often have about the law. We try to treat it like code we can exploit and hack around. But there is no compiler deterministically producing outcomes. Of course, this misunderstanding is often bolstered by the accurate observation that lawyers and businesses find loopholes and favorable interpretations that to us appear much like the exploits we propose. The critical element that's often missed, though, is the human one. To get away with an exploit, to have the case law updated to reflect your favorable interpretation, you need power, influence, and alignment on your interests. There are tax "loopholes" now that are commonly used but in a prior era, under the same laws, would have seen you dragged into court and eviscerated. If you tried your cute SD card trick a judge would tear you a new one. If Microsoft tried it, they could maybe talk to the right people before the case and come to an understanding that this little loophole was convenient for dev devices or something, and convince a judge to rule that they could do it, but only if accompanied by some external age confirmation they could self-attest to, with some wording that makes it clear that the trick is only usable by large and well-respected institutions. The law is not an impartial arbiter that you can outsmart. It's the enforcement mechanism for multiple tiers or rules that bind different classes. This age gathering law is a classic moat law. It exists to prevent outgroups from shipping software that's incompatible with this age communication system, and in a business-to-business context serves to establish obligations between ingroup members. Any other clever interpretation of the law will be discarded regardless of specific wording.
Right, my bad. It's easy to forget our society is a convoluted backroom quid pro quo even if we pretend otherwise on paper.
Sounds like it exposes a ton of attack surface. Better to just have a card with a link to the webinstaller, probably.
I'm sure noone in the legal system of California would notice that trick!
Well correct me if I'm wrong but dumb laws are usually not written by people who know much shit about fuck. So it's entirely possible they wouldn't.
You sound like a teenager fighting his parents. "Technically you didn't say WHICH bed I had to be in by midnight!!!!! I was in A bed, I followed the rules!!!!"
Society (mostly) works because we all agree that laws have intents. The wording is crafted as best as possible, and for the rest we have judges to shutdown lawyers trying to be a moffkalast smart asses.
As they should, I was personally surprised so many people were surprised come ICE raids that government can buy and track location via apps, advertising and your phone in general. Regular people need an idea, who is.. uhh.. less likely to sell them down the river.
Virtue signal away. I’m with whatever device and OS purveyors are willing to tell these tyrants to get stuffed.
I haven’t cut over to it completely yet but I think this’ll be the last nail in the coffin for my time as an Apple user. It’s already a loveless marriage , it’s already over, I’m already sleeping with GrapheneOS on the side. it’s asking when I’m going to leave her and it’s always “soon, baby. soon.”
Its a statement for the future. They arent bound to add this now but they could be in the future. They will adapt accordingly to avoid it.
I think that malicious compliance all the way might have been the better option here. If a birth date is all that is needed, let the user enter a random one. If actual biometric verification is needed alongside, let the user also paste the code to a fake biometric validator that always returns valid.
It is the same philosophy as with an app that forcibly wants an invasive permission to the detriment of the user. Let the app have the permission while in a sandbox so it sees nothing.
Giving in in any capacity is unacceptable. The GrapheneOS foundation is based in Canada and is not obligated to record this information, so they wont. They have no reason to comply, be it malicious or otherwise.
Agreed. This is one of those moments you might as well simply say no. For practical reasons too, your users do have options and tend to be the kind that will drop a distribution if it goes rogue.
They are not on an island; they need to function in society. If they want people outside Canada to use GrapheneOS, then they need to comply with local laws.
Maybe they don't care about that. Maybe they just want to make a secure phone OS, as a sort of hobby, and don't care if anyone uses it but themselves. That's ok too.
People who live in authoritarian states like North Korea or California can (and arguably should) ignore the fact that GrapheneOS is illegal where they live and use it anyway.
If you want a privacy-violating OS, there are already two big options on the market. A secure OS for people who do not live in authoritarian surveillance states offers a benefit to some people, even if not all people. A third privacy-violating OS offers no value to anyone anywhere in the world.
As they stated "If GrapheneOS devices can't be sold in a region due to their regulations, so be it."
Asking the device owner for the user's birth date is precisely what the (California) law requires.
Biometrics are not required.
The concept appears to be that a parent or guardian could enter the birth date before turning the device over to a child.
Malicious compliance would be providing this age bracket API:
boolean is_user_over_18() { sleep (18 * 365.25 * 86400); return true; }
This is a real-time interface (as required by the law) that takes 18 years to complete. (Remember: "Real-time" does not mean "fast").
> Asking the device owner for the user's birth date is precisely what the (California) law requires.
Why would anybody bother to implement that?
The New York bill specifies a biometric requirement.
You'd need to closely read the law and have a lawyer advise you, but a neat attempt might be to just ask for the date of birth, send that "in real time" to the App Store program, and then have that program simply discard it?
I don't think current iterations of the law require that this be sent off-device in any way.
The second requirement of the California law is that there be an API available to all apps that returns the age band a user is in -- one of:
age < 13
age >= 13 && age < 16
age >= 16 && age < 18
age >= 18
A non-maliciously compliant implementation would need to retain a date of birth or equivalent until the user was over 18.
A maliciously compliant API could just wait 18 years after account creation before yielding an answer. (remember folks: "real time" does not mean "fast").
One of the oddities about the way the law is phrased is that it requires the age band information about the user be provided to "the developer" rather than to the application.
> The second requirement of the California law is that there be an API available to all apps that returns the age band a user is in -- one of:
Is anyone actually going to bother to do this though? Why would they?
Agree. I didn't even think of that. Embarrassing. Your approach might have been the best option.
I know it's gonna be a very unpopular opinion. I do like, appreciate, respect & admire that they are ready to die on a hill. I just don't think it's the right hill. I do not have an issue with the legality of it. Rather I think age verification is actually not bad. Sure i see the potential danger. But there is potential benefits, that'd counter the danger, by a lot.
In different times, i might have argued differently. I'm not saying it's not worth protecting the world you deem worthy of protection. But no matter what that world is to any of you. The one we all share is changing for sure. Uncontrollably fast. And many things are gonna change. And many things won't matter that much anymore, if we actually end up going where we're headed.
I mean a this is just a super small part of it all, but i assume in this specific case, for graphene, it's a battle for privacy... and they're right. But we're still going into a future where we got 5,10,20,30 more years of "AI", even just keeping the same level of overall sophistication for most, but costs decreasing immensely... I don't know about you, but I don't think the ways we protect our privacy can be unaffected, already because we're going to learn all new aspects about which data is private. Just out of practicality. Extreme example: but if generating hundreds of obscene deepfakes of any person as easily as taking a photo with your iPhone... ah, i can't keep having this discussion, i hope i am just an insane moron who is wrong. But, just to be sure: instead of arguing if we should close the windows on the train that's burning, or leave them open, as some are smart and others need help, let's just get off the fucking train.
And yes of course. One might argue (I actually would), we should not start implementing laws like that or start making personal information a requirement to digital access.
But this might be the first step to a different future, or not. As i said, who cares where the train is headed. It's burning and nobody even really wants to be on it. Let's please get off the train.
Not saying the battle is lost. I have tried working on something because I still have great hope. But someone seriously must act. I tried, getting off the train. Or at least start standing up from my seat. Realizing it's not that easy to get off. It's embarrassing, but i can't even get off the train by myself... i tried anyway... but here i am, sitting again (currently on the floor, lost my seat, damn...)... i have been building something for the past 2 years. Well, trying to build something, an attempt to change course... ruining my life over it. And currently i failed, before i even got to a point where my prototype or any of the theoretical work even remotely represents the vision. But maybe i just learned, i was wrong about all of it. I hope i'll make it back being able to afford working on it and someday a way to make enough money to pay smarter people than me to join. But currently, it's insane for me for me to even dare dreaming about that. I have really dug myself a hole. Next time, it should at least be a hill...
So in the meantime: can people like the dudes & dudiñas from graphene please chose a wiser battle. If just some of all these people got together & worked on getting off the train, instead of working on things that seem meaningful now, but wouldn't even be considered worthy of being mentioned in the future... we'd have a shot.
Damn. I still just can't accept it, even though i've literally lost everything believing that. And i am ashamed so deeply believing in what i saw, and in friendly moments still see, as a future... thinking i could change it, without changing myself... but please god, in the end, let me not have been just bonkers, but convicted.
(As if that, would be, any different).
I appreciate the thought, but I personally disagree having seen the patterns of the past 2-3 decades. There is zero real benefit to it save powers that be. Honestly, the only reasonable move forward is non-compliance. Everything else results in steady inching towards full blown panopticon ( and some would argue that we are already there ).
The GrapheneOS Mastodon post says,
"GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account."
https://grapheneos.social/@GrapheneOS/116261301913660830
That raises the issues that GrapheneOS needs to solve, which may require more creativity than bold, somtimes combative statements.
If GrapheneOS doesn't comply with laws and regulations then they will sometimes be banned or restricted. If that happens, they may not be "usable by anyone around the world" for long.
That doesn't mean they have to capitulate or sacrifice security. They can find creative solutions, some of which are suggested here. The first step is to carefully read the spec to determine what is necessary, then talk to someone like the EFF, and find a way forward.
The problem is the spirit of the law, not the word.