Not such a bad idea [LWN.net]

Not such a bad idea

Posted Mar 12, 2026 2:35 UTC (Thu) by marcH (subscriber, #57642)
In reply to: Not such a bad idea by dskoll
Parent article: California's Digital Age Assurance Act and Linux distributions

> First, a website can use the "age bracket" indicator to eventually determine the user's actual date of birth, or close to it.

Then what? If only the date of birth were the worst privacy issue on the Internet...

> Second, determining that someone is a minor can as well be used for nefarious purposes as for beneficial ones. Think targeted ads, or actually even worse, depending on what a website can trap someone into doing.

Just because the API exists does not mean everything is allowed to use it - same as location, camera, microphone, etc. Exactly like with these other permissions today, an app or site requesting age when it has no reason too is not discrete and immediately draws suspicion.

> So it's just as effective to have an adult web site have something saying "You must be 18 or over to use this site" and have the person assert the age bracket when they enter the site.

Already answered.

> Fourth, I'm an adult. All of my kids are adults. Anyone who uses my computer is an adult. I don't feel that I should share my date of birth, or age, or even age bracket with my operating system or random applications. They have no need to know that.

If you had spent a fraction of the time looking at the proposal (or even just thinking about it), you would have noticed that there is only one age bracket above 18.

to post comments

Not such a bad idea

Posted Mar 12, 2026 14:14 UTC (Thu) by dskoll (subscriber, #1630) [Link] (8 responses)

Then what? If only the date of birth were the worst privacy issue on the Internet...

Every new piece of information that can be deduced is yet one more widening of the attack surface for (eg) identity theft.

Just because the API exists does not mean everything is allowed to use it

Nope. Read the law. Every single application is required to ask for an age bracket signal.

you would have noticed that there is only one age bracket above 18.

Every new API is a widening of the attack surface. Every new piece of information an OS stores about me (and remember, it stores age or date of birth) is one more piece of thing that could be exposed in a hack.

Not such a bad idea

Posted Mar 12, 2026 14:26 UTC (Thu) by marcH (subscriber, #57642) [Link] (4 responses)

> Every new piece of information that can be deduced is yet one more widening of the attack surface for (eg) identity theft.

Identity theft is a real issue but it's a couple orders of magnitude worse in (at least) the US because of the incredibly stupid belief that immutable personal information 1. can be kept forever secret 2. can be used as a password!? This is especially stupid considering all that basic personal information is _already_ out of the bag and is already being marketed on more or less legal platforms. The sooner people in the US abandon those complete privacy illusions and get back to reality, the better.

There used to be a smarter time when people in the US didn't try to keep their social security number secret - just like in many other countries. I don't know what happened then.

> Nope. Read the law. Every single application is required to ask for an age bracket signal.

Not my understanding.

Not such a bad idea

Posted Mar 12, 2026 14:40 UTC (Thu) by dskoll (subscriber, #1630) [Link] (3 responses)

> Nope. Read the law. Every single application is required to ask for an age bracket signal.

Not my understanding.

Did you read the text of the law? Particularly 1798.501 (b) 1.

Not such a bad idea

Posted Mar 12, 2026 16:06 UTC (Thu) by kleptog (subscriber, #1183) [Link]

This language is terrible:

> 1798.501. (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

So the Developer is a little daemon living inside your machine that has to do something ("request a signal") when you as a user do something ("download an application").

In all likelihood the Developer is actually asleep or busy doing actual useful work. Terry Pratchett makes jokes about machines being run by daemons, but that's not the real world. Which branch of government is tasked with ensuring legislation is actually sensible? The above is grammatically correct, but meaningless.

Not such a bad idea

Posted Mar 12, 2026 16:17 UTC (Thu) by marcH (subscriber, #57642) [Link] (1 responses)

The text of the law has plenty of issues, especially the somewhat fictional line between "operating system" and "application". Would "curl" be part of the former or latter? Probably both...

On the other hand, the _intent_ of the law is pretty clear and stated in the first paragraph: make sure service providers grant children the "protections afforded to children". As the LWN article notes:

> One might wonder why the state of California wouldn't extend such courtesies to all users.

Obviously not a lawyer but if "applications" and online services don't want to be bothered by this new law, then easy enough: make your entire service "child-friendly" and don't spy on adults more than you're allowed to spy on children. Problem solved: if you assume the lowest age bracket then you don't need to ask for the actual age bracket. That's just basic logic and common sense but I agree it would be better to clarify it in the law.

Not such a bad idea

Posted Mar 16, 2026 18:14 UTC (Mon) by zhaan (guest, #177139) [Link]

> The text of the law has plenty of issues, especially the somewhat fictional line between "operating system" and "application". Would "curl" be part of the former or latter? Probably both...

"curl" is very much an application. It's separately developed, is cross platform, etc. It does not provide additional access to applications/services on top of it and doesn't even have HTML/CSS/JS support.

In terms of an example for "both", Emacs is a better example. Or Firefox/Chromium.

Not such a bad idea

Posted Mar 12, 2026 16:42 UTC (Thu) by jzb (editor, #7867) [Link] (2 responses)

The law is terrible, no doubt, but I think the definition of "application" is narrower than "every single application." The law defines an "application" as something that can "access a covered application store or can download an application", with an exemption for downloading extensions, etc. from an application store. Including the requirement to download applications or interact with an app store narrows what is considered "an application" considerably.

It would seem to include things like APT, DNF, flatpak, snap, GNOME Software, KDE Discover, etc., but exclude most of the software shipped with and used on a Linux distribution unless one is trying hard to stretch the definition considerably. At least that is my reading of the law; I am, of course, not a lawyer, nor do I play one on TV.

Not such a bad idea

Posted Mar 12, 2026 16:52 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Actually, it depends on your interpretation of the subordinate clause. Here's the text:

"Application" means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.

You are taking the "that can access..." clause to modify "Application". However, I read it as modifying "a computer, a mobile device, or any other general computing device that can..."

If the word "and" had been inserted before "that can", then the "that can" clause would unambiguously refer to the "Application". As it stands, I believe it refers to the computing device.

Not such a bad idea

Posted Mar 13, 2026 13:39 UTC (Fri) by misc (subscriber, #73730) [Link]

Given Flathub distributed at least one game that would surely be classified as "not for kids" (the old Katawa Shoujo package), and now distribute a new modernized version ( https://flathub.org/fr/apps/sh.fhs.ksre ), I think that at least flatpak/flathub would be covered by the spirit of the law.

I do not know if the new version is the same as the old, but nothing indicate that the content was removed, and this is easy to verify.

For people who prefer to read code, there is some code around handling adult content on https://codeberg.org/fhs/katawa-shoujo-re-engineered/src/...

For people who prefer text, I think the game/script-a4-lilly.rpy file around line 3610 would be one of the clearest place.

And for those who prefer images to text, there is some explicit pictures in one of the game/event folder.

And of course, for people who want to test the game, you can just finish it in around 8h ( https://howlongtobeat.com/game/4943 ).

IIRC, there is a option to turn on/off the NSFW part, and I do not know if this is on or off by default. But I do not think this matter that much in practice, except that this is one example where a unified API would be useful (eg, something for parental lockdown).