|
|
Log in / Subscribe / Register

Also affects application developers

Also affects application developers

Posted Mar 11, 2026 17:58 UTC (Wed) by dskoll (subscriber, #1630)
Parent article: California's Digital Age Assurance Act and Linux distributions

The law doesn't just affect OS providers. It also affects application developers. From the California law:

1798.501 (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

"Developer" is defined in the law as "a person that owns, maintains, or controls an application."

So if you write an application that does not request an age-bracket signal from an OS provider, you are breaking the law. This means that technically, cp, ls, and so on need to request an age-bracket signal, though it's not at all clear what they have to do with the signal other than "comply[ing] with applicable law"

The law is a real mess and preferably should be struck down, or if not, then at the very least heavily amended.

to post comments

Also affects application developers

Posted Mar 11, 2026 19:30 UTC (Wed) by RazeLighter777 (subscriber, #130021) [Link]

This was also something I saw from the bill after a close reading of the text. It has garnered little discussion online.

This requirement is arguably much more contentious as it exposes developers of any application to legal liability. I surmise that this requirement alone from the law is unconstitutional.

First, the law burdens the right to receive information (through applications). The U.S. Supreme Court has recognized that the First Amendment protects not only the right to speak but also the right to receive ideas and information, such as in Stanley v. Georgia and Lamont v. Postmaster General. A requirement to present identification before entering a bookstore could deter people from accessing controversial or sensitive material. Courts often treat such “chilling effects” on reading as constitutionally significant.

This law, because it requires developers to distribute their applications and operating systems with a feature to request age bracket data from their users, is compelled speech. This compelled speech is agnostic to the type of application or it's purpose, meaning that it is content-neutral.

Content neutral restrictions on speech typically fall under intermediate scrutiny, as opposed to content-based restrictions which typically fall under strict scrutiny.

To pass intermediate scrutiny, the challenged law must:

1) further an important government interest (lower burden than compelling state interest required by strict scrutiny test)
2) and must do so by means that are substantially related to that interest.

[1]

I would argue that the state has an important government interest to protect children online. However, it's unclear that the state has an interest in ensuring every single program on the operating system requests the users age.

Moreover, this law fails to achieve this by means that are substantially related to this interest as required by law. Let's look at US West, Inc. v. United States [2]. This ruling concerned a law passed preventing telephone providers from providing video services, and was subject to the same intermediate scrutiny.

The court ruled that the state "must demonstrate that the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way".

It is unclear how the government can demonstrate that the particular harms to children are alleviated by this bill. Requiring every single application to verify the age of the user, regardless of the contents need for age verification, opens up the user to profiling and data collection that place the child at risk. Moreover, it is clear that these measures do not *effectively* mitigate the problem, as the child can (and will!) very simply bypass these measures.

(A child can simply misrepresent their age by setting their age during installation or after the effect. They may also install an operating system without age bracketing APIs in place. Or they can simply install a virtual machine where they control the operating system.)

I don't think these laws are constitutional as written, and the state would have an uphill battle in enforcing them. I expect many more court challenges to arise.

[1]: https://www.law.cornell.edu/wex/intermediate_scrutiny
[2]: https://law.justia.com/cases/federal/district-courts/FSup...

Also affects application developers

Posted Mar 11, 2026 20:34 UTC (Wed) by fredrik (subscriber, #232) [Link] (3 responses)

Heh, almost-sorry-not-sorry for the following noise. Couldn't resist... *<:)
"Developer" is defined in the law as "a person that owns, maintains, or controls an application."
As a devil's advocate - and very much in the spirit of a developer who knowingly attempts to circumvent the law by legally invalid technical interpretations, and who has only read the above quote - what about the following argument?
My client, on trial, admits that they are both, a person who owns[0] the application "Baz", and that they are a person who is a maintainer of the application "Baz". Baz is an application that is provided to users under a FLOSS license.

My client has two objections to the charges of failure to implement functionality in Baz that fulfills the law's age verification requirements.

1. My client argue that they are never in control of said application when it is run by a user of the application on the user's computer. Hence my client can only comply to the law to the extent that the controlling user permits it.

2. Since the law was introduced, my client provides optional patches for the application, which implements a technical measure in the application to fulfill the law. When patched the application inquires the user's age range, and provides said range to any service which the application interacts with and which inquires the application about the user's age.

All users who are under the jurisdiction of the law, are encouraged to run versions of the application which includes these patches.

Hence, my client argues that they cannot be held responsible for users who are within the law's jurisdiction, but still choose not to apply the patches to their copy of Baz. Such unlawful usage is the fault of the user of Baz, not the owner or maintainer of Baz.

So... dear hypothetical arm-chair prosecutors, game on! What is your legal objection to these arguments?

A variation on objection 2: No patches are provided. Instead affected users are encouraged to both implement and apply patches that provide the necessary age verification. Baz is FLOSS after all. The user can modify it to ensure that when executed, Baz complies with any laws applicable to the user.

[0] I interpret "own" in the copyright sense of the word. Again, I really have only read the above quote, nothing more. PS. This comment may well be as obviously stupid as the law. So let me conclude with an preemptive apology to all who are annoyed by it. Cheers!

Also affects application developers

Posted Mar 11, 2026 22:57 UTC (Wed) by Wol (subscriber, #4433) [Link]

> [0] I interpret "own" in the copyright sense of the word. Again, I really have only read the above quote, nothing more. PS. This comment may well be as obviously stupid as the law. So let me conclude with an preemptive apology to all who are annoyed by it.

My reaction was that if you are not the sole maintainer AND copyright holder, then the end user is just as much the owner of a FLOSS program as the maintainers.

Cheers,
Wol

Also affects application developers

Posted Mar 12, 2026 10:12 UTC (Thu) by kleptog (subscriber, #1183) [Link]

This is one of the reasons the "on the market" language the EU uses is so useful. Since it clearly scopes it to commercial transactions with EU entities. This law is placing specific obligations on "developers" and "operating system providers" (where?) but that's actually beside the point. Whether it's a developer, an AI or a vibe-coder doing the implementation, you care about the end-result, not who is doing it.

If this is typical for US regulations, then I understand why you need powerful regulators. Since basically the state has taken it upon itself to try and force companies/people (worldwide?) to work a specific way, rather than defining the rules of the game and letting the market figure out the most efficient way to achieve the desired result.

Also affects application developers

Posted Mar 18, 2026 12:01 UTC (Wed) by vonbrand (guest, #4458) [Link]

Another variation, a configuration option adds age limiting. Perhaps needs to be configured separately for a variety of age-reporting services.

Also affects application developers

Posted Mar 11, 2026 22:47 UTC (Wed) by WolfWings (subscriber, #56790) [Link] (1 responses)

It doesn't even separate out python (the interpreter) versus a python script that uses Tkinter to provide a full GUI interface, under a raw enough reading it appears it would apply to both the interpreter on loading the script AND the script to have to query this nonsense.

Also affects application developers

Posted Mar 11, 2026 22:52 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Also, this part is curious:

"Covered application store" does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.

So, hypothetically, if you made a web browser plugin that let people access gambling sites on the Dark Web that aren't normally accessible... your plugin wouldn't need to worry about the user's age? Or, you could make a shared library that grants access to age-restricted material, but because the code runs "exclusively within a separate host application" you're OK? The law as written is a complete dog's breakfast.

Also affects application developers

Posted Mar 12, 2026 6:38 UTC (Thu) by MortenSickel (subscriber, #3238) [Link]

This means that technically, cp, ls, and so on need to request an age-bracket signal, though it's not at all clear what they have to do with the signal other than "comply[ing] with applicable law"

$ cp -R ~dad/pr0n.

Sorry, you are outside the age bracket to access that content


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds