California has begun correcting one of the most visible errors in its new legal framework for verifying age online: the impact on Linux and free software. Bill AB 1856 proposes to exclude from the definition of “operating system provider” those who distribute software under licenses that permit copying, redistributing, and modifying the code. In practice, this wording would ease pressure on distributions like Debian, Fedora, Ubuntu, Arch Linux, or Linux Mint, which do not operate as closed platforms with accounts, app stores, and centralized control.
The correction was necessary. The original law, AB 1043, known as the Digital Age Assurance Act, shifted some age verification responsibilities to the operating system. Starting January 1, 2027, covered providers would need to request the user’s age or date of birth during account setup and generate an age band signal for applications and stores. On paper, the idea aims to protect minors. In practice, it turns the operating system into a user classification layer.
The problem is not only with Linux. It lies in the underlying philosophy. Age verification is being presented as a technical solution to social, educational, family, product design, and business model issues. And often, it doesn’t solve anything. It only shifts responsibility, adds friction, creates identification infrastructure, and pushes users to circumvent the system.
Linux is not iOS, Android, or Windows
The new AB 1856 seeks to better specify the law. Its text excludes those who distribute operating systems or applications under licenses that allow copying, redistributing, and modifying the software. It also clarifies that the operating system’s obligation would apply when there is an account configuration function for using the system on a specific device. This is an important change because many Linux distributions do not have centralized accounts, telemetry, mandatory official stores, or a company controlling the end-to-end experience.
The original design seemed to consider platforms like iOS, Android, Windows, or macOS—commercial systems with accounts, stores, common APIs, developer agreements, and capacity to enforce technical requirements. Linux works differently. It can be downloaded from a mirror, modified, recompiled, forked, and redistributed. The same distribution can have different installers, community derivatives, alternative repositories, and can be used offline without online accounts.
Claiming that this universe behaves like a closed age verification platform was a bad technical and legal idea. Who would need to comply? Debian as a project? A foundation? A maintainer? A mirror server? Someone packaging a derived ISO? The amendment recognizes, even indirectly, that free software doesn’t fit that mold.
| Element | Closed Platforms | Open Source Linux Distributions |
|---|---|---|
| Centralized account | Common | Not necessarily present |
| App store | Controlled by provider | Multiple repositories and external software |
| Telemetry | May be integrated | Not a core part of the model |
| Distribution control | Centralized | Decentralized and forkable |
| Legal compliance | Assigned to a company | Diffuse across community projects |
| Age verification | Integrable into account | Hard to enforce without breaking the model |
The Electronic Frontier Foundation criticized AB 1043 for creating unnecessary barriers for adults and youth, impacting small and open-source developers, and raising privacy risks because age verification systems are not perfect at protecting data, ensuring universal access, or securely handling sensitive information. That criticism remains valid even if Linux becomes more protected. It only shifts the scope of the problem.
Verifying age does not equate to better protection
A major flaw of many age verification rules is confusing access control with effective protection. If a minor wants to access a restricted service, they can use an adult’s account, a VPN, another device, an unverified app, mirror websites, or less monitored platforms. If a social network becomes more restrictive, some usage may move to spaces with poorer moderation and fewer resources.
Australia is the example that half the world is watching. Its social media restrictions for users under 16 came into effect in December 2025, and eSafety reported that platforms had removed access to 4.7 million accounts of minors under 16 by mid-December. The figure is impressive but also reveals the scale of the problem: millions of accounts deleted do not mean millions of minors protected long-term. It shows a barrier exists, and many users will attempt to bypass it.
Platforms like Snapchat, Meta, and others have warned about technical loopholes, misestimation of age, and minors migrating to other services. Facial verification can fail for years. Identity documents pose privacy risks. Age declarations are easy to fake. App store verification doesn’t cover the entire web. Operating system verification makes the device a source of sensitive signals.
It’s the classic case of putting a gate in the field. You can erect a fence at a specific point, but the internet is not a closed compound. It’s a network of devices, browsers, applications, operating systems, repositories, websites, social media, messaging, proxies, forks, and international services. Closing one door doesn’t necessarily prevent passage; often, it just shifts traffic to an area with less visibility.
The danger of building a permanent identity infrastructure
The deeper concern isn’t just that age verification may be ineffective. It’s that it can leave behind a very useful infrastructure for other purposes. Once operating systems, browsers, stores, and platforms start exchanging age signals, the temptation to expand their use grows quickly: content, advertising, shopping, recommendations, messaging, parental controls, access to communities, moderation, regulatory compliance, or even political restrictions in certain countries.
Proponents of these laws often insist they only share an age range, not an exact age. It’s better than handing out a document to each website but doesn’t eliminate the problem. An age range remains a sensitive data point when combined with account info, device type, behavior, approximate location, browsing history, or ad profiles.
From a technical standpoint, the key questions are: who generates the signal? who validates it? who can request it? how is abuse prevented? how do we audit? what about shared users? how are errors corrected? what happens to users without documentation? how do we prevent the signal from being used for other purposes?
| Verification Model | Main Problem |
|---|---|
| Self-declaration of age | Easy to fake |
| ID document | High privacy and exclusion risks |
| Facial estimation | Biometric errors, biases, and doubts |
| App store | Does not cover the entire web or all devices |
| Operating system | Turns the device into an identification layer |
| Social network | Arrives late if the user lies or migrates to another platform |
Social media: the most visible battleground
Age verification on social platforms will be the showcase of this tension. Instagram, TikTok, YouTube, Snapchat, X, Twitch, Discord, and Reddit face pressure over harmful content, recommendation algorithms, targeted advertising, mental health, sextortion, gambling, disinformation, and minors accessing inappropriate spaces.
But demanding verification alone doesn’t solve these issues. A platform can verify ages and still design addictive products. It can expel minors from a large network and push them into less moderated communities. It can reduce legal liability without improving design. It can mistakenly ban legitimate users while allowing others who are skilled at deceiving the system.
True protection involves more: better default settings, less addictive design, clear limits on aggressive recommendations, algorithmic transparency, effective moderation, functional reporting channels, digital literacy, reasonable family controls, and accountability for advertising models that benefit from screen time. Age matters, but it’s no substitute for safe design.
The amendment saves Linux but does not fix the internet
AB 1856 is an improvement because it prevents a law aimed at big platforms from impacting free software. But it does not turn age verification into a magical solution. It only reduces one of its most absurd side effects.
The debate should shift from “how do we verify everyone” to “how do we design less harmful services without building a permanent identification network.” That’s a key difference. The first approach creates doors, permissions, signals, accounts, and technical obligations. The second pushes platforms to change products, incentives, and practices.
California has learned that legislating about operating systems without understanding open source creates problems. Now, lawmakers need to grasp something broader: regulating the internet as if it were just a series of closed doors doesn’t work either. Minors need protection, but turning each device into a point of age control is a convenient but ineffective answer.
Child safety shouldn’t be an excuse for normalizing more identification, friction, and surveillance. If a measure doesn’t genuinely reduce harm but introduces new privacy and exclusion risks, the tech sector has grounds to question it. And in this case, Linux was only the first warning.
FAQs
Has California removed age verification for operating systems?
No. The original law remains scheduled for 2027. AB 1856 proposes changes, including an exemption for software distributed under licenses that allow copying, redistributing, and modifying.
Would Linux be exempt from the law?
The new wording probably excludes most open source Linux distributions, though final text and interpretation will matter.
Does age verification on social media truly protect minors?
It can block some access but doesn’t solve issues like addictive design, harmful content, recommendation algorithms, or migration to less controlled platforms.
Why are these measures called “gates to the field”?
Because the internet is decentralized and easily bypassed through other accounts, devices, apps, VPNs, alternative websites, or platforms not covered. The barrier may be visible but isn’t always effective.