On Age Verification

Introduction

If you have been living under a rock (good for you), several states in America and the country of Brazil have introduced a new law that forces operating system developers to implement "age attestation" of the user, you will have to provide your age and then an age bracket will be stored which will be broadcast to every app and service you use in your operating system, and app stores (apt sources) are required to acknowledge this and filter software based on age, and assume lowest age bracket if the age is not given.

Age verification tracker: https://github.com/BryanLunduke/DoesItAgeVerify/ (fork that maintains links to original developer statements: https://github.com/softcookiepp/DoesItAgeVerify). This has all information regarding it.

In this blog post, I will share my opinions on it and explain why it is impossible to enforce these laws as well as impossible to comply with these laws. It is actually illegal to follow the US law according to the US law, I will explain below.

Facebook

Meta is behind this. Meta is pulling the strings and getting the law makers to pass such laws. Here is the proof:

• https://web.archive.org/web/20260313090844/https://www.reddit.com/r/linux/comments/1rshc1f/i_traced_2_billion_in_nonprofit_grants_and_45/
• https://web.archive.org/web/20260314074025/https://www.reddit.com/r/linux/comments/1rtd51g/update_i_pulled_irs_filings_for_the_org_that/
• https://www.youtube.com/watch?v=4KyiLyOxux8

Since Mark Zuckerberg is the mastermind behind all these, and due to how trustworthy he is

it is logical to expect the very next step from the lawmakers is to make you upload your government issued ID photo to the operating system before setting up the account. So that every action you take in the computer, every local text file you save, every message you send in end to end encrypted messaging apps, every local file you save, every email you send by gpg encrypting it, every social media post you make from an anonymous account, can be pinpointed to who exactly you are and your location, so that the government can keep a social credit score for people and arrest anyone that disagrees with the government and enforce a totalitarian regime like 1984 or present day China.

This is their plan. It is a slippery slope. It is Facebook after all. Now they push for "age attestation" which is "just a minor thing" according to some people and after it is accepted as a "usual thing" they push for a little more like precise age numbers and then you end up with ID.

Linux

The law keeps definitions of "Operating System", "User", "Account" as vague as possible to enforce it into as many places as possible. And anyone with a functioning mind would think the entire Linux community, built around privacy and security, would be vehemently opposed to this law and refuse to follow it and try as much as possible to get this law deleted. But that is where you are wrong. At least most of the people, the users, are against the law.

Ubuntu will comply and Debian will help downstream distros implement it (it is in the tracker). And Arch Linux, an OS literally made to give you full control over your computer, says opposing age verification is violation of code of conduct. There is more on Lunduke's (the only journalist covering these kinds of tech news you wouldn't find on mainstream media) channel. And also systemd, an init process that is supposed to start the system, has a module called userdb and it previously stored a lot of PII like name and email and now it stores user birthdate to comply with the law so that xdg-desktop-portal can use it as a reference to implement the age attestation (PR link). And also linux reddit censors age verification related posts.

systemd

When I started out with Linux I did not understand the hate around systemd. I thought it was just a normal piece of software with unnecessary drama and also it worked kinda fine like it took care of things and was programmable so I didn't understand why people did not like it and moved away from it. But now I do. It is owned by RedHat and is extremely bloated and does things it is not required to do for no reason at all. I hated it more and more as I was going deeper into computers and Linux. It has a local DNS middleman server for god knows why the system needs another middleman when I run my own DNS server. I had to configure a lot of things to make sure the systemd-resolved stays shut down. An init process storing user PII, and modifying it to comply with privacy invasive freedom restricting laws, and resolving DNS, managing IP addresses of network interfaces (systemd-networkd) is too much for an init process, it increases the attack surface and adds too much unnecessary bloat to the system.

Distro hopping

The only developers who oppose this law are listed in the tracker I shared above. I personally use Linux Mint and Mint is currently not affected by systemd storing user birthdate because Mint does not ship with systemd-userdbd (Source) so even if upstream software like xdg-desktop-portal implement it, it will have no point of reference for the user birthdate. However, that is only true for the current state of the OS (22.3 zena). The developers of Mint have not made any public statements regarding age verification and assuming the worst, if they implement age verification by shipping the next update with systemd-userdbd or in some other way, I can simply refuse the dist upgrade. Also I am currently refusing all updates to systemd related packages using this command.

sudo apt-mark hold *systemd*

So the dist upgrades have been refused and systemd related packages have been held back from updating, meaning I have a lot of time to switch to an operating system that publicly opposes age verification as well as does not have systemd. I am choosing to go with Artix (Arch without systemd) for my laptop as it gives full control over my computer, and Devuan (Debian without systemd) for my server for stability. If you are using a Linux distro that is going to implement age verification like Ubuntu or Fedora consult the above tracker to make a decision on the OS that fits your needs and opposes age verification and does not have systemd and switch to it as quick as possible. If you are using Windows switch to Linux, it is a corporate controlled proprietary OS and they already do a lot of spying on you and also Zuckerberg, Bill Gates are all a part of the Epstein class and they are all in this together.

Why is it impossible to enforce this law?

Obviously, Linux is open source and if the OS adds age verification, someone will just fork it and create a "libre" version that doesn't have it. And good luck to government jarheads trying to arrest everyone, you won't have enough room in prison.

Why is it impossible to comply with this law?

Even if every single person in America is willing to comply with this law, it is literally impossible. The law is very very vague about the definitions of an Operating System, an Account, and a User. So almost everything that is technically a "computer" falls into this law. And almost everything that is a computer (that probably runs linux) includes your laptop and desktop and servers (obviously), your smart TV, your smart watch, your calculator (probably), your "smart" washing machine, fridge, dishwasher and other smart devices, your robot vacuum cleaner, your router, raspberry pis that are part of iot devices, any and all forms of iot devices, your CCTV cameras, your baby and dog monitor, believe it or not switches (the layer 2 network devices) are also technically a computer because they have an OS (Cisco IOS), Nintendo Switch console, the gas station pump, your car probably, the bar code scanner at Walmart, traffic signals, public surveillance cameras, your smoke detector, and a lot of things, the list is so long that it cannot be fit in this blog post.

If everyone in America wanted to comply with the law by entering their age into all "computers" they own, the entire internet will break, several people will die, and a lot of things will be broken. So many things in this world are computers.

Right to Repair

Also it is illegal to comply with this law. DMCA Law in the US states that you are not allowed to use technical skills to circumvent DRM on a device (you are legally not allowed to modify a device you own and paid money for) or to "hack" it to run whatever software you want. You could face 5 years in jail or $500,000 fine for changing the electric circuits of a physical device you purchased with money and own in your hand.

Nintendo used this law to sue people breaking into Nintendo Switch (the gaming console) to run custom software. BMW implemented subscription based heated seat, using electricity from the battery of the car that you paid for, generated by the fuel you paid for, which costs the company $0 to produce some heat yet they charge users monthly for it. And it is backed by the law, if you circumvent it to have unlimited heated seat then you go to jail. And Tesla implemented a pay walled battery, you have to pay money to use 100% of the battery that you own. BMW is a horrible company by the way they patented BMW screws that can only be purchased from their vendors to make sure you always come to them for repairs and don't repair on your own, that is a completely different story but America is slowly becoming this corpo owned hell hole.
Sources:

1. https://www.theverge.com/2024/3/4/24090357/nintendo-yuzu-emulator-lawsuit-settlement
2. https://www.notebookcheck.net/Nintendo-lawsuit-ends-in-2-million-settlement-against-Mig-Switch-seller-accused-of-aiding-piracy.1107589.0.html
3. https://arstechnica.com/gaming/2025/05/nintendo-threatens-to-brick-switch-consoles-for-hacking-piracy/
4. https://insideevs.com/news/601330/tesla-backtracks-on-asking-4500-usd-unlock-model-s-range-after-web-outrage/
5. https://electrek.co/2023/08/15/teslas-new-model-s-x-same-battery-pack-but-with-software-locked-capacity/
6. https://www.techspot.com/news/111208-bmw-admits-heated-seat-subscriptions-mistake-but-commits.html
7. https://www.repairerdrivennews.com/2025/12/30/bmw-files-patent-for-screw-that-uses-emblem-as-the-drive-structure/

Coming back to what I was saying, it is illegal to open up your robot vacuum cleaner and flash a custom operating system into it, in the place where the current linux distro of it is running, by somehow wiring it up with a keyboard mouse and display. So you are not allowed to do it or you face prison. But the age verification law says you are required to enter your age into all "computers" you own and the only way to enter it into your robot vacuum cleaner is to circumvent its DRM by breaking it open, which is illegal. (this applies to not just robot vacuum cleaners).

America has finally made it. It is illegal to follow the law. Welcome to land of the free baby, where you are legally not allowed to modify devices you paid money to own and cannot have anonymity and privacy.

Louis Rossmann (the man behind the clippy movement) has been shouting about the "Right to Repair" for a very long time. Please pay attention to that one: https://www.youtube.com/@rossmanngroup/videos and https://consumerrights.wiki/w/Main_Page

Cloud is up there above us

And almost nobody on the internet has covered the cloud side of things related to age verification.

Docker containers are also technically a computer since it is an OS (alpine mostly). Are people required to enter their age inside docker containers too? Are you only required to enter your age when pushing a docker container to the internet or whenever creating it like dev or testing? What about Virtual Machines? Amazon Web Services offer an OS called "Amazon Linux" so they are also operating system developers. So by law they are required to implement age attestation in their OS, I am not sure what they are gonna do about it.

AWS is the biggest cloud provider where majority of production infrastructure lives. Since the law requires every "user" that has an "account" on every "computer" to enter their age, will Jeff Bezos be required to enter his age into every single EC2 instance created in American regions?

Even if he is willing to, let's assume it takes Jeff Bezos 3 seconds to enter his age into 1 EC2 instance (type 2 numbers + enter key + window switching). So that is 86,400/3=28,800. He will be entering his age into 28,800 EC2 instances per day which is a frighteningly low amount of EC2 instances compared to how much actually exist and is being created every day, assuming he is willing to work 24 hours.

Most of the real production infra does not have EC2 instances manually created and provisioned from the console, they are all automated using tools like Terraform. And 28,800 EC2 instances does not count the several internal "technically a computer" servers that are used for things like lambda, ECS, Fargate, EKS and there is still a ton more including other cloud providers, on prem data centers many companies use, and also the on prem network devices (like switches and routers I mentioned above). Now you see why the entire internet will break, it is impossible for the owner of the "computer" to enter their age into every "computer" they own due to the laws of physics.

The law is extremely vague about the definitions either because lawmakers are stupid and think cloud means where we get the rain from or they are evil and want to strip away as much people's rights as possible and I don't know which is worse or it could be both.

Why should someone in India (me, and you, even if you are not in India) care about some American law?

Brazil is a country that is not America yet Facebook pulled strings and got the law passed over there. India is next. Indian government isn't exactly pro consumer rights or pro privacy, law requires VPN services to store logs and share them with the government, that is why ProtonVPN moved away from India. And there were talks about the government banning entire Proton suite from India because some idiot sent a fake bomb threat somewhere using proton email address and they were not able to find him. Call me paranoid but I think the someone is the government making up reasons to ban proton mail.

And even if the law hypothetically never comes to India, if I am using Ubuntu (thankfully I am not) and Ubuntu pushes an update on the day the law takes effect forcing me to enter my age or else lock my drive, I will have no choice but to either comply with the law (which is bad and is a slippery slope like I said above) or to mount the hard drive, somewhere else, copy the files, and reinstall another OS that doesn't have age verification which will be tedious to do after the law has been implemented, hopping to another distro now is easy. This is the same as disaster recovery in Cloud Computing, we don't wait until disaster happens to recover resources, we plan in advance and provision multi AZ or multi region so if disaster affects on AZ or an entire country we would still have other areas up and running.

Here's what you are gonna do

1. Get as many normies to switch to Linux
2. Tell everyone you know about age verification
3. Increase awareness about the importance of privacy, anonymity, security, and right to repair
4. If someone already uses Linux, get them to switch to an OS that doesn't support age verification (see tracker)