261
Colorado proposing Bill to move age verification to Operating System rather than web site (www.biometricupdate.com)
submitted 20 hours ago* (last edited 20 hours ago) by Beep@lemmus.org to c/technology@lemmy.world
93 comments fedilink hide all child comments

Senate Bill 26-051 reflects that pattern. The bill does not directly regulate individual websites that publish adult or otherwise restricted content. Instead, it shifts responsibility to operating system providers and app distribution infrastructure.

Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established. The provider would then generate an age bracket signal and make that signal available to developers through an application programming interface when an app is downloaded or accessed through a covered application store.

App developers, in turn, would be required to request and use that age bracket signal.

Rather than mandating that every website perform its own age verification check, the bill attempts to embed age attestation within the operating system account layer and have that classification flow through app store ecosystems.

The measure represents the latest iteration in a series of Colorado efforts that have struggled to balance child safety, privacy, feasibility and constitutional limits.

top 50 comments
sorted by: hot top controversial new old
[-] hector@lemmy.today 12 points 3 hours ago

Colorodo democrats have always been lousy. Here they are following texas and montana and tennessee, locking down the internet with dishonest arguments. No one in reality thinks this is about protecting kids, and it's not the state's place to do so, it's the parents, it's a violation of the 1st amendment to make adults expose their identities to people recording everything they do online and using it against them, and selling it to the government.

We need to repeal these bills, and we need a popular open source of model legislation to counter-act ALEC, that writes these bills and state lawmakers just fill in the blanks, after the united corporations give them a plausible excuse to and pay them off

[-] GutterRat42@lemmy.world 4 points 2 hours ago

Google already allows you to save your ID in Google Wallet and share specific details via NFC. Why can't I just use it to provide my year of birth?

[-] kamikazerusher@lemmy.world 1 points 1 hour ago

Seriously. There are better ways to ensure privacy with identity verification.

[-] sturmblast@lemmy.world 7 points 3 hours ago

These people are idiots

[-] Cocodapuf@lemmy.world 5 points 3 hours ago

What would be the point of that? If the check was done locally it would be trivial to spoof.

Technically, this can't work. It's a bad idea.

[-] redwattlebird@lemmings.world 12 points 5 hours ago

At this point, it's probably cheaper and more effective to have proper sex education in schools...

[-] Beep@lemmus.org 3 points 4 hours ago* (last edited 4 hours ago)

At which ages? And how?

[-] phutatorius@lemmy.zip 9 points 6 hours ago

Fucking idiots don't know how operating systems work or what they're for.

[-] Traister101@lemmy.today 12 points 10 hours ago

If I could trust that the people in government know how computers work I'd be down but well I can't

[-] ICastFist@programming.dev 48 points 14 hours ago

I fully expect this to become a move to hamper linux, or any non-windows desktop usage, because "we can't trust a user who has full access to their OS" or some other bullshit.

[-] chunes@lemmy.world 10 points 11 hours ago

Hey Colorado. GFY and get your damn politicians under control.

[-] fluffykittycat@slrpnk.net 33 points 14 hours ago

Holy fuck this is bad

[-] maplesaga@lemmy.world 10 points 13 hours ago* (last edited 13 hours ago)

Only for privacy and anonymity, companies like Google and Microsoft will do fabulously however. Who donates to him I wonder.

[-] melfie@lemy.lol 44 points 16 hours ago

AFAIK, only adults can sign up for internet access, so a minor watching porn on the internet is the same as said minor watching their parents’ adult DVDs or drinking alcohol their parents purchased. It’s already illegal for adults to give minors access to these things, so what’s next? Alcohol bottles that only open and DVDs / Bluerays that only play if you can provide an ID and prove your age every time?

[-] cheesorist@lemmy.world 16 points 6 hours ago

its not about limiting children's access to porn and other stuff, it never was.

[-] IratePirate@feddit.org 5 points 11 hours ago

DON'T give them ideas!

[-] mech@feddit.org 70 points 17 hours ago

Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established.

It's so fucking obvious the people who wrote this have no idea other operating systems than iOS, Windows and Android exist.

[-] ISOmorph@feddit.org 5 points 6 hours ago

What are you on about? If they get 95% of the population with this it's still a huge win for them.

[-] parzival@lemmy.org 33 points 16 hours ago

Account is created? Who said were making accounts for our operating systems

load more comments (1 replies)
[-] Darkcoffee@sh.itjust.works 148 points 20 hours ago

This is getting ridiculous.

Linux is the only reasonable choice anymore.

[-] floofloof@lemmy.ca 86 points 19 hours ago* (last edited 19 hours ago)

Linux won't be legal in Colorado if they pass this. You'll need an account with some age-policing, ID-reporting corporation to be able to use a computing device.

How do they imagine they could enforce this though? Presumably quite selectively, based on the user's political leanings.

[-] hector@lemmy.today 2 points 3 hours ago

The courts should strike it down, I don't have faith they will side with the constitution, but it's clearly unconstititional and beyond the authority of the state as well, in the realm of interstate commerce which is explicitly given to the feds, whom can't be trusted either obviously.

But the 1st amendment is clearly invalidating this, forcing people to identify themselves to groups that will record everything they say or do and sell it to everyone, including the government, that will chill speech, and groups will punish people for their speech.

Too bad scotus is all in on punishing people for speech though.

[-] SnotFlickerman 24 points 18 hours ago* (last edited 18 hours ago)

Presumably quite selectively, based on the user’s political leanings.

Not defend Democrats too much here, but they clearly have far less of a habit of doling out enforcement based on political leanings than the Republicans, even if they do enforce things quite selectively when it comes to actual leftists while letting Nazis run around with seeming impunity.

Colorado has been a solidly Blue state since the end of the W. Bush years, and even then, it was pretty split down the middle with just over half of the votes going to Bush. It's honestly been mostly-Blue-dominated since 1992. (Lauren Boebert notwithstanding)

Further, the two main sponsors of the bill are both Democrats. This genuinely seems to me to be another example of "heart in the right place but don't know what the fuck they're actually doing" which seems common for the tech illiterate and often for Democrats in general.

Once again, not saying Democrats aren't guilty of selective enforcement, just pointing out that they're far less likely to do so (or at least less likely to do so against conservatives, for genuine leftists it seems up for debate).

Now, that also means nothing in context to how other politicians can use this kind of legislation negatively, even if the writers and sponsors truly have the best of intentions. Democrats had the best intentions when it came to the PATRIOT Act and the creation of the Department of Homeland Security as well, and way back then folks like me were saying "this seems pretty dangerous, especially if we ever have a despot take control of the country and the levers for these tools" which clearly has come to pass.

load more comments (5 replies)
[-] DFX4509B@lemmy.wtf 17 points 18 hours ago

Are they going to check people's PCs at the state borders as they move in then?

load more comments (1 replies)
[-] prex@aussie.zone 4 points 13 hours ago

What is in the actual bill? I haven't read any of this but if it was just a year of birth box at local signup then this could actually be pretty good. A sort of halfway between local only parental controls & age-policing, ID-reporting corporations.

[-] SnotFlickerman 5 points 13 hours ago

https://leg.colorado.gov/bills/SB26-051

Here's a summary, but the text of the actual bill can be gotten by clicking on "Recent Bill (PDF)"

[-] prex@aussie.zone 2 points 8 hours ago

This looks like self-reporting. ie: no third party ID snooping badness. Am I missing something?

load more comments (9 replies)
[-] fubarx@lemmy.world 5 points 11 hours ago

I've been a longtime mobile and web developer, have a teenage kid with a phone, and am a big privacy advocate (card-carrying member of ACLU and EFF). As a parent, I don't want my kid exposed to cyber-bullying, toxic social media, or algorithmic bullshit.

And I will tell you this: the operating system is 100% where you want to do age verification.

I don't want individual social media sites, dodgy third-party orgs, or government agencies scanning our faces or IDs. Under a family sharing plan, the OS already knows how old the kid is. Any site wanting to gate access can privately ask the OS if age > X without spilling their PII. Same concept as OAuth. An opaque, encrypted token indicating GO or NO-GO.

Raging that they shouldn't do any of this is just idiotic. Unfettered access got us CSAM, kids getting radicalized, or bullied to the point of self-harm. Fuck that.

From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.

[-] undu@discuss.tchncs.de 11 points 10 hours ago

As a software engineer that works on virtualization and is interested in software freedom, this law terrifies me because it's a trojan horse for something much much worse than the already shitty status quo: remote attestation.

And I will tell you this: the operating system is 100% where you want to do age verification

No, it's the last place you want to do this check. Let me explain: because users control the PCs they buy right now, meaning they can install any OS and programa the so wish to install; governments at some point will decide that they cannot trust the results given by any OS.

The only way for governments will be to actually trust third parties (again) that will check properties in your computer through a module that controls the whole computer and users don't have access to.

This is called remote attestation: https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1

With this technology, users don't decide what programa they can install and run, they can't even decide what websites can they visit.

It's a brutal encroachment on the computer freedom you have enjoyed up to now, and the perfect tool for an authoritarian government to enforce what can you watch and in general, can do with your computer.

If this law is approved, I guarantee you it will spread and will have expanded versions requiring remote attestation. (Don't worry, lobbyists will find a way to sell remote attestation preserves privacy to make it go down easier)

The end result is a nightmare-fueling scenario where someone like Peter Thiel through Persona not only has your information because it needed to verify to create the account in your computer, but Microsoft also has it, and governments through Microsoft may decide to limit which platforms you can access (X or something worse), if also if you've been a bad citizen, if you can run programs in any computer that can be legally sold.

All in all, this law is incredibly dangerous in the current political climate where even supposedly democratic governments are pushing for more authoritarian controls to digital life. And I'm surprised organisations like EFF haven't seen this yet

[-] fubarx@lemmy.world 1 points 1 hour ago

I'll caveat this by saying IANAL. But the way I read Bill 26-051 is that it's looking to implement "user age attestation" not "device or application" (WEI). Two separate things.

Age Attestation requires the OS (or really, the cloud service that implements account-level authorization) and come up with an "age signal." It prohibits using third-party non-public data, and puts the burden on the OS for managing the Go/No Go process. No PII leaves the device.

The alternative is dystopian, poorly managed KYC/AML over-reaches. Under the guise of anti-fraud/anti-gambling, these will reach deep into our communal shorts. They could well soon require individual biometric verification (iris scans, face contour maps, fingerprints, etc). No, thanks.

WEI is a separate story. It's trying to cut down on malicious apps and maybe stop individual sites doing browser fingerprinting. It can only work on systems with single-points of app installation (without side-loading) and devices already locked down with hardware TPMs. So far, that only covers iOS. All the other systems (Linux, Mac, Windows, and Android) let you install your own system-level code without having to go through the One Official appstore. And with WASM, the browser makes it all moot.

Personally, I think WEI is a total waste of time. Trying to squeeze the toothpaste back into the tube. But it's solving a different problem than age verification.

Not to say the Colorado bill is perfect. There is a truck-sized app vs. website loophole in it, so kids can still access social media sites from the browser vs their phones. But the OS can offer an API that browsers can vend to websites without every site rolling their own crappy system. It also doesn't account for a clever kid figuring out how to create a separate adult-appearing user account. Because of course, they will.

Saying it's parental responsibility is unrealistic. I've helped folks set up Screentime, router-level filters, and even Circle (in-home ARP spoofing box, and mobile VPN + fine-grain URL filtering). There are ways around all of it. Besides, the kids can still get exposed to utter bilge via school-approved sites like Zoom, YouTube, or Google Drive. Let's not even bother with messaging apps or in-game chat. This is all assuming parents have the time or knowledge to set things up and manage the filters.

We're not trying to be over-controlling, stop the kids from dancing too close at the prom, or yuck their yum. But as parents, we do want to have some sort of say in what they're exposed to online before their brains have the capacity to process them. The risk to their mental health is real, and just YOLOing it hasn't worked out too well.

I'm sure there's a lot of subtle behind-the-scenes stuff in the Colorado bill. I'll wait to hear what EFF or Mike Masnick have to say about it. But as a techie, app developer, and parent, it reads like the least-worst way to keep a minor away from nasty crap without requiring every one of us to scan our faces and provide IDs to every rando website.

[-] CeeBee_Eh@lemmy.world 7 points 10 hours ago

And I will tell you this: the operating system is 100% where you want to do age verification.

Oh, what's that you're using? It's Linux? Sure that's fine, just make sure the age verification check works on it.

Wait, what do you mean you have "root access"? Why do you keep repeating "it's my hardware and I own it"? You removed the age check system? You can do that! Hey, he's not supposed to be able to do that!

Colorado proposes bill to ban open source operating systems

As a parent, systems and web developer of both open source and proprietary software. This would single-handedly be one of the most damaging things to ever happen to the world of personal computing.

From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.

It's a horribly bad opinion. It's the same old problem with client-side anti-chest. You can't trust the hardware. If the user has full access to the computer, then they can do whatever they want with it. This is a core issue in security modelling. So what's the answer? Try to lock down the system. This is why anti-cheat software, to play a video game, has more access to your computer's hardware than you do as a user. Full access to every single file, data in memory, webcams, things on screen, etc.

What's going to happen if it becomes mandated that age checks must happen in the OS? We're going to get computers so locked down that you won't be able to open a .txt file without some kind of authentication check.

No thanks. I'm happy to avoid every single age-check required service.

[-] fubarx@lemmy.world 1 points 56 minutes ago

I won't repeat what I said in the sibling thread.

But I don't see anywhere in this specific Colorado bill trying to restrict OS level features or go anywhere near open-source. As a parent, if I put little Timmy on Arch and give him root access, I don't get to bitch about what they do online.

This is about a single signal (kid/no kid) at the user-auth level, without slurping up PII and shipping it off into the ether.

[-] eager_eagle@lemmy.world 61 points 19 hours ago

"OPERATING SYSTEM PROVIDER" MEANS A PERSON THAT DEVELOPS, LICENSES, OR CONTROLS THE OPERATING SYSTEM SOFTWARE ON A DEVICE.

great, for my devices then, that would be me

[-] SnotFlickerman 23 points 15 hours ago

[-] black_flag@lemmy.dbzer0.com 44 points 18 hours ago

Age verification is identity verification.

[-] mrnngglry@sh.itjust.works 12 points 15 hours ago

Why can’t we just have better parental controls? I’m a parent and I do want to protect my kids but I will not upload a photo or anything else.

[-] unknownuserunknownlocation@kbin.earth 28 points 18 hours ago

For fuck's sake.

What are parental controls?

[-] DFX4509B@lemmy.wtf 26 points 18 hours ago

Goodbye tech ownership in Colorado if this passes. We're moving one step closer to the government issuing out thin clients that only they control.

[-] riskable@programming.dev 35 points 20 hours ago

Just think: Without legislation like this, kids will be able to see people having sex! Thus, ending their lives. Not so different from staring into the eyes of Medusa!

The amount of children exposed to sex that have died—or suffered worse consequences like early onset conservatism—may have been zero so far but the dangers are clear! We must skip right over parental involvement in child rearing and go straight to the source of the problem: Computers.

Computers have been giving everyone access to too much information for too long! We must restrict it! The first step is to get an implementation that actually works to censor information—to save the children (wink wink)—then later, we will have the tools necessary to censor whatever we want!

When glorious dictator decides that information about trans-genic mice must be erased from the Internet, we shall have the power to do so!

load more comments (9 replies)
[-] hansolo@lemmy.today 21 points 19 hours ago

Not the OS.

The OS "provider"

Linus Torvalds ain't gonna check my ID. And i don't want him to, either.

[-] PriorityMotif@lemmy.world 35 points 18 hours ago

Everyone was born at 00:00:00 UTC on 1 January 1970

load more comments
view more: next ›
this post was submitted on 21 Feb 2026
261 points (100.0% liked)

Technology

81653 readers
3963 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws