It's for the Children!

On 1 January 2026, a bill passed unanimously by the California legislature, AB 1043, will become law. Title 1.81.9 (Digital Age Assurance Act) of the California Civil Code will require the providers of every computer operating system to add an age attestation system to create any user account on a computer. Now that this bill has been enacted into law in California, Colorado's legislature is now considering a bill, SB26-051, that closely mirrors the California law.

Computer KidThese bills cover all operating systems. Windows, Mac, Linux, Android, iOS…it doesn't matter. To create any user account on any computing device, you'll have to provide age data for the account user. If the operating system has an application store to download software, like Google Play, or the Apple App store, the application store must request this age data from the operating system. Essentially, every computer, tablet, or phone will be required to collect this data, store it, and provide it to basically anyone that asks for it. The penalty for violating the law is a fine of up to $7,500 per child who accesses the device, which will be levied against the developer of the operating system.

The thing that makes these laws so seductive is that they're being proposed as a more "privacy-focused" alternative to the age verification laws of Texas, Louisiana, and Utah, which require applications to use "commercially feasible" methods to verify ages. While those state laws don't specifically require government-issued IDs or biometric identification, companies will almost invariably resort to those methods to avoid the draconian penalties for failure. This has its own risks. A few months ago, Discord's attempts to comply with the UK's age verification laws directly resulted in a data breach that compromised 70,000 user accounts, exposing thousands of ID cards and credit cards to malicious actors.

Google, Apple, and Microsoft will comply with these California and Colorado laws without question. It's in their interest to do so to avoid competition. Other tech executives, like Meta's Mark Zuckerberg, have already stated that they want OS-level age verification, so they don't have to impose it in apps like Facebook.

But while Big Tech may be eager to comply, these laws hit the Linux/FreeBSD/Open Source world especially hard, which is why the big three OS developers are happy with it. Take Linux for example. While there are some companies that directly issue their own Linux distributions, such as Red Hat, or System 76, The vast majority of Linux distributions are managed by a volunteer developer community, or by small non-profit organizations. The potential civil liabilities could bankrupt them instantly. Thus, their best interest is not to distribute Linux in California or Colorado. Such a law gives Big Tech companies a more non-competitive environment in those states.

The implementation requirements for the CA and CO laws are monumentally stupid. The law requires that you provide the age data once, at account setup. Fortunately, it doesn't require any age verification (yet). It's an age attestation, but, since it doesn't (yet) require an age verification system, you can just, you know, lie about the account user's age. Alternatively, you might give an old computer to your kid. In that case, even if you did use the correct age data when you created the user account, the age data is no longer valid.

The California argument is that if we do age attestation at the OS level, then just send a flag from your computer that only identifies your general age range (a so-called "age signal"), then privacy is preserved without having to store your personally identifiable data. And, to be fair, that's certainly true, in theory, with the current requirements of the law.

No matter where you require age verification—either at the application, web site, or OS level, there are a number of risks that are almost impossible to fully mitigate. But enforcement at the application level doesn't affect your ability to use your own computer. If you don't like the requirements Discord or Facebook impose…don't use them. There are other alternatives. But if you don't like your operating system's requirement, not using it means not having access to a phone or a computer at all.

The frightening this about these laws is that, because they're so easy to evade without reliable age verification, an age verification requirement will almost certainly be added to them in the not-to-distant future. The initial requirements of the law make no sense, unless they're just the thin end of the wedge to use later to require that you store verified, personally identifiable identity data for yourself and your kids, "as an additional safeguard for the children".

This data could, in turn, become part of a requirements change from sending a generic "age signal", to sending personally identifiable data to confirm your age, which will then be stored by Microsoft, Apple, Google, and other application providers. Obviously, that repository of personally identifiable data becomes an even greater target for hackers and predators, so you're no better off than you were with application-level age verification.

Of course, enforcing age verification at the OS level might also require that a civil or criminal penalty be applied to you if you give a device to anyone under 18 without creating a verified user account for them. Even more frightening is that, if the government or a Big Tech company ever wanted to apply a "kill switch" to an individual user, this personally identifiable data will be a required mechanism to enforce it. Once your user identity is known and stored, it becomes a relatively trivial matter to cut off your access to all applications or services that are connected to the internet. It could even be used to disable your access to all user accounts on your computer, turning it into an expensive but useless brick.

Unfortunately, far too many people hear, "its for the children", and are keen to immediately shift their parental responsibilities off to the government and Big Tech. The DARE program, music labeling, and the "super-predator" panic were all pushed by the "it's for the children" rationale. But, in those cases, at least the policy solutions, while expensive, were only ineffective, rather than being actively harmful. Today, however, "it's for the children" is a common justification for Internet censorship, anti-encryption laws, and mandatory age verification. The unwanted effect of these policies will not be that they are simply ineffective—though they may be—but that they are direct assaults on individual privacy, free speech, and general freedom from government control.

The end result of these policies is that they extend the government's reach further into our personal lives. This is not an unintended side effect. This is by design. The more we willingly submit to these policies, the less control we'll have over our own lives. As President Jerry Ford once said, "A government that's big enough to give you everything you want, is big enough to take everything you have."