Senate Bill 26-051 reflects that pattern. The bill does not directly regulate individual websites that publish adult or otherwise restricted content. Instead, it shifts responsibility to operating system providers and app distribution infrastructure.
Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established. The provider would then generate an age bracket signal and make that signal available to developers through an application programming interface when an app is downloaded or accessed through a covered application store.
App developers, in turn, would be required to request and use that age bracket signal.
Rather than mandating that every website perform its own age verification check, the bill attempts to embed age attestation within the operating system account layer and have that classification flow through app store ecosystems.
The measure represents the latest iteration in a series of Colorado efforts that have struggled to balance child safety, privacy, feasibility and constitutional limits.
I’ve been a longtime mobile and web developer, have a teenage kid with a phone, and am a big privacy advocate (card-carrying member of ACLU and EFF). As a parent, I don’t want my kid exposed to cyber-bullying, toxic social media, or algorithmic bullshit.
And I will tell you this: the operating system is 100% where you want to do age verification.
I don’t want individual social media sites, dodgy third-party orgs, or government agencies scanning our faces or IDs. Under a family sharing plan, the OS already knows how old the kid is. Any site wanting to gate access can privately ask the OS if age > X without spilling their PII. Same concept as OAuth. An opaque, encrypted token indicating GO or NO-GO.
Raging that they shouldn’t do any of this is just idiotic. Unfettered access got us CSAM, kids getting radicalized, or bullied to the point of self-harm. Fuck that.
From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.
As a software engineer that works on virtualization and is interested in software freedom, this law terrifies me because it’s a trojan horse for something much much worse than the already shitty status quo: remote attestation.
No, it’s the last place you want to do this check. Let me explain: because users control the PCs they buy right now, meaning they can install any OS and programa the so wish to install; governments at some point will decide that they cannot trust the results given by any OS.
The only way for governments will be to actually trust third parties (again) that will check properties in your computer through a module that controls the whole computer and users don’t have access to.
This is called remote attestation: https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1
With this technology, users don’t decide what programa they can install and run, they can’t even decide what websites can they visit.
It’s a brutal encroachment on the computer freedom you have enjoyed up to now, and the perfect tool for an authoritarian government to enforce what can you watch and in general, can do with your computer.
If this law is approved, I guarantee you it will spread and will have expanded versions requiring remote attestation. (Don’t worry, lobbyists will find a way to sell remote attestation preserves privacy to make it go down easier)
The end result is a nightmare-fueling scenario where someone like Peter Thiel through Persona not only has your information because it needed to verify to create the account in your computer, but Microsoft also has it, and governments through Microsoft may decide to limit which platforms you can access (X or something worse), if also if you’ve been a bad citizen, if you can run programs in any computer that can be legally sold.
All in all, this law is incredibly dangerous in the current political climate where even supposedly democratic governments are pushing for more authoritarian controls to digital life. And I’m surprised organisations like EFF haven’t seen this yet
I’ll caveat this by saying IANAL. But the way I read Bill 26-051 is that it’s looking to implement “user age attestation” not “device or application” (WEI). Two separate things.
Age Attestation requires the OS (or really, the cloud service that implements account-level authorization) and come up with an “age signal.” It prohibits using third-party non-public data, and puts the burden on the OS for managing the Go/No Go process. No PII leaves the device.
The alternative is dystopian, poorly managed KYC/AML over-reaches. Under the guise of anti-fraud/anti-gambling, these will reach deep into our communal shorts. They could well soon require individual biometric verification (iris scans, face contour maps, fingerprints, etc). No, thanks.
WEI is a separate story. It’s trying to cut down on malicious apps and maybe stop individual sites doing browser fingerprinting. It can only work on systems with single-points of app installation (without side-loading) and devices already locked down with hardware TPMs. So far, that only covers iOS. All the other systems (Linux, Mac, Windows, and Android) let you install your own system-level code without having to go through the One Official appstore. And with WASM, the browser makes it all moot.
Personally, I think WEI is a total waste of time. Trying to squeeze the toothpaste back into the tube. But it’s solving a different problem than age verification.
Not to say the Colorado bill is perfect. There is a truck-sized app vs. website loophole in it, so kids can still access social media sites from the browser vs their phones. But the OS can offer an API that browsers can vend to websites without every site rolling their own crappy system. It also doesn’t account for a clever kid figuring out how to create a separate adult-appearing user account. Because of course, they will.
Saying it’s parental responsibility is unrealistic. I’ve helped folks set up Screentime, router-level filters, and even Circle (in-home ARP spoofing box, and mobile VPN + fine-grain URL filtering). There are ways around all of it. Besides, the kids can still get exposed to utter bilge via school-approved sites like Zoom, YouTube, or Google Drive. Let’s not even bother with messaging apps or in-game chat. This is all assuming parents have the time or knowledge to set things up and manage the filters.
We’re not trying to be over-controlling, stop the kids from dancing too close at the prom, or yuck their yum. But as parents, we do want to have some sort of say in what they’re exposed to online before their brains have the capacity to process them. The risk to their mental health is real, and just YOLOing it hasn’t worked out too well.
I’m sure there’s a lot of subtle behind-the-scenes stuff in the Colorado bill. I’ll wait to hear what EFF or Mike Masnick have to say about it. But as a techie, app developer, and parent, it reads like the least-worst way to keep a minor away from nasty crap without requiring every one of us to scan our faces and provide IDs to every rando website.
Oh, what’s that you’re using? It’s Linux? Sure that’s fine, just make sure the age verification check works on it.
Wait, what do you mean you have “root access”? Why do you keep repeating “it’s my hardware and I own it”? You removed the age check system? You can do that! Hey, he’s not supposed to be able to do that!
Colorado proposes bill to ban open source operating systems
As a parent, systems and web developer of both open source and proprietary software. This would single-handedly be one of the most damaging things to ever happen to the world of personal computing.
It’s a horribly bad opinion. It’s the same old problem with client-side anti-chest. You can’t trust the hardware. If the user has full access to the computer, then they can do whatever they want with it. This is a core issue in security modelling. So what’s the answer? Try to lock down the system. This is why anti-cheat software, to play a video game, has more access to your computer’s hardware than you do as a user. Full access to every single file, data in memory, webcams, things on screen, etc.
What’s going to happen if it becomes mandated that age checks must happen in the OS? We’re going to get computers so locked down that you won’t be able to open a .txt file without some kind of authentication check.
No thanks. I’m happy to avoid every single age-check required service.
I won’t repeat what I said in the sibling thread.
But I don’t see anywhere in this specific Colorado bill trying to restrict OS level features or go anywhere near open-source. As a parent, if I put little Timmy on Arch and give him root access, I don’t get to bitch about what they do online.
This is about a single signal (kid/no kid) at the user-auth level, without slurping up PII and shipping it off into the ether.