Age verification: what if we used malicious compliance?
Posted by freedomtakeswork84@reddit | linux | View on Reddit | 37 comments
A lot of Linux users are upset about age verification (and should). But what if instead of trying to not comply we instead maliciously comply?
A common critique of Linux is the fragmentation. Too many distros. Let us leverage that: every distro chooses to technically comply with providing a user's age but in a different way. Increase the difficulty of implementing the "solutions" in apps and make a universal option impossible. If a app wants to find out the age of a user they have to use a different method for every single distro making it unreasonable for apps to bother.
Each implementation could also obfuscate, complicate and make the process difficult. The files or processes storing this can have protest names like 'big-brother-is-evil', 'fascism-eyes', 'hey-ped0s-this-user-is-a-child', 'surveillance-is-bad', 'internet-safety-is-the-parents-responsibility'.
A few suggestions:
Background process provides the age bracket when requested but only after locking the requesting process for 1 minute making it look like the app has crashed. Apps must request the answer regularly.
The age bracket but not the age is stored in a readable file and the user has to update it themselves.
The user must confirm their age every time the system starts. It is only stored in ram not on the drive. To protect user privacy.
The age is stored in a readable file but is encrypted with an ultra secure hash to protect user privacy. Apps must implement a complex and time-consuming decryption to access it. The key is updated with each new release and apps have to implement the new one to read it again.
The age is stored a universally readable and universally *writable* file for convenience so the user can update it as needed. 'Accidental' overwriting can happen.
Whenever an app requests the user's age the user is shown 'Do you allow (app) to access your age?' to ensure they are fully informed. The user can click no.
The user must input the root password every time an app makes a request or the data is not provided to that app.
A simpler one: if the user picks a region where such a law might exist it asks these questions on setup/update:
'Do you live in a jurisdiction that requires age verification? yes / no'
'Do you want to let every app know your age? yes / no'
'Do you understand you must answer these questions correctly and by selecting yes you take full legal responsibility for this being correct? yes / no'
More simpler: 'Your location might have laws requirng age verification. To comply with these laws we have to give you the option to use age verification but you are not required to use it. Do you want to use it?'
Some of these probably do not comply with the rules but I am sure there are other ideas.
I am not a lawyer so these can be written better.
There are lots of other ways to comply maliciously. I only am giving ideas.
By the way the actual fight needs to be in the courts. USA courts have already said software is 'speech' as in free speech so this requirement is a violation of that. Laws like the california one are probably a breach of the 1st Amendment and probably invalid. The suggestion to maliciously comply is to spanner the works only.
whosdr@reddit
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043
1798.501. (a)
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user: (A) Under 13 years of age.
coldsubstance68@reddit
They can't expect distros to coordinate with each other to implement a feature no one but Facebook asked for. Making it cumbersome is a great way to protest this anti feature that's being forced down our throats.
whosdr@reddit
Consider what a website might do if it requests an age signal and the browser can't comply. Do you think the website is more likely to assume
>=18, or<13? Which one gets them into less legal trouble?chris_0611@reddit
Within one distro it could be totally reasonable. Like a well documentation API.
However each and every distro will have it's own totally different API
Some work over gRPC, some store it in a text file, another uses a SQL database, etc.
Just like Apple doesn't have to implement the same 'reasonable' API as Windows or as Android, Linux distro's don't have to agree on a common standard.
This might just appear naturally anyway lol, as people can't agree on a single standard ever anyway (or it takes many many years), so let everyone just implement yet-another-API which supposedly has benefits over competing standards. Of course an initiative to unify arises, just resulting in N+1 standards. Just let the open-source world do it's thing and I'll think we'll be fine LOL
whosdr@reddit
Also see my argument here as to why implementing many different APIs would likely be a bad idea:
/r/linux/comments/1scixza/comment/oebe0hy/
chris_0611@reddit
Who gives a ****
If:
I'll open VScode and "age=99; return age;" and recompile firefox and go on with my life. This law is not going to prevent anyone of any age from accessing any service or feature, ever.
whosdr@reddit
Storage and API are very different concepts. And in the case of the California bill, having the application read the date-of-birth directly would actually fall afoul of the bill. It strictly requires you to be able to query only age brackets.
ccAbstraction@reddit
I read that as "we can still fuck around if move the goal post of reasonable"
whosdr@reddit
The post is basically saying, "What if we just make it unreasonable to comply?"
I could see it being 'reasonably consistent' if the query is a bit fuzzy regarding the age, or the age brackets provided don't quite match up to what an application expects. An entirely different API for each distro though, I expect, would be argued in court to fail the "reasonably consistent" wording cited in the document.
ccAbstraction@reddit
I don't think it's unreasonable for Microsoft, Apple, Google, and Meta to have their own APIs. Why are Canonical and RedHat special and have to share?
whosdr@reddit
I don't think it's an issue at all if they have good reasons to do so. Doing so maliciously could be legally challenged though.
But I think more to the point: if distros, especially more fringe ones, decide to implement verification entirely differently, that might be a disservice for the users.
From my understanding, the intent of the bills is to offload age verification for applications and websites onto the operating system. Being technically unable to comply (e.g. the browser/application isn't configured to read those signals), will likely cause every site/service to assume you're under the age of 13 and prevent you from accessing the service or features there-in.
martyn_hare@reddit
The text of the Californian law says applications shall request a signal via the API but doesn't actually specify that the developer must receive a response, only that if they do, then that's considered to be knowledge of the user's age from a legal perspective.
The Apple implementation confirms that Family Organizers can choose that apps never receive age signals when they requests one, and there's no rule saying what a developer must do if a response isn't received.
If a developer assumes 13+ by default and only opts to discriminate between 18+ content vs. everything else, then literally nothing changes unless an actual under-13 signal is explicitly sent.
Knowing this: Any bets as to why Meta and Apple both sponsored this? =3
chris_0611@reddit
If it's about websites, within 5 minutes there will be a fork of Firefox or an extension that sends the age of 99 to any and every website regardless of what the OS reports. I just can't see how this will ever work. My 10 year old nephew will also find that plugin or workaround within 5 minutes.
What happens if I sudo firefox? Does the superuser account have an age? What if I run a python bot with embedded browser, what age does he have?
Most people don't even USE different user-accounts on their home-PC.
This whole bill is just such BS. It's literally worse than just asking for an age dropdown on login or registration of a website.
ccAbstraction@reddit
Yeah that's fair
KnowZeroX@reddit
I think best approach is require that the developer of the application requesting must send a copy of their id, pay a $100 annual developer fee and must get 1 million dollar insurance.
It is fairly reasonable to insure the application in question is not violating the users privacy and can be terminated at any time. Also, others already charge similar developer fees in general.
Amazing-Mirror-3076@reddit
The key word here is consistent - consistent in what context?
Each distro can provide it's own consistent API - just not like the rest.
whosdr@reddit
I think ultimately the need to be consistent might also not be a legal one, but a functional one. See:
/r/linux/comments/1scixza/comment/oebe0hy/
PsychoticDreemurr@reddit
Legally speaking, an API is a consistent "application programing interface"
Not the distros fault if it just so happens that programming the API in a completely different way simply works so much better for them...
Additional-Sky-7436@reddit
People here are so weird.
The FBI isn't tracking you online based on your age. They already have much more effective tools to track you. They have been able to get an identifier on you since Pentium 3s.
This is about Meta, and other websites, being able to off load their responsibility for their own platforms onto the OS makers.
They do not care if you lie. They just want to be able to say "We asked the OS for a verified age and it said 18+. "
am9qb3JlZmVyZW5jZQ@reddit
Which is great for privacy, as I don't want Meta, Google, or any other third party verifying my age beyond asking for my date of birth either.
whosdr@reddit
In the case of the California bill at least, the date of birth isn't even necessary. A compliant implementation can just be that the OS asked for your age once (and not a DoB), and then provides signals based on that single static value.
That's what I'd much prefer. Set it to 999 and then no information can leak regarding your date of birth.
Swizzel-Stixx@reddit
Age isn’t a static value most of the time
whosdr@reddit
California's bill seems to allow it to be.
aliendude5300@reddit
The problem with that is the signal needs to update as minors go through the various age ranges, so you need to store the DOB to provide accurate signaling.
GinormousHippo458@reddit
Malicious non compliance, and outright defiance is even better. It's sad us bunch of adults are such rule followers to the political pedophile class.
DoubleOwl7777@reddit
precisely. they wont prosecute literal pedos so why should we care?
Pyrotech72@reddit
A guy passed on a saying to me. "Win if you can, lose if you must, but always cheat."
LostGeezer2025@reddit
"Strive whenever possible to bend, fold, spindle, and mutilate..."
DoubleOwl7777@reddit
the only compliance is non compliance.
rhbvkleef@reddit
My plan was to provide a different API on each system for requesting age brackets making it impossible for any application to work anywhere at all
aliendude5300@reddit
This would just result in a libage or something that checks all of them and apps get more bloated as a result.
aliendude5300@reddit
This would be WORSE for users. Having a standard place to store the date keeps PII protected and controlled.
siodhe@reddit
That's cute and all, but once the underlying mechanism is in place, the government will be just a hairsbreadth away from mandating compliance, and reporting more than just an age bracket.
Thanks, Meta, you bastard, for forcing this on us to save yourselves.
This is the kind of bills/laws that needs to be fought.
As far as compliance goes, some of them have exemptions for "the delivery of, or use of a physical product". But the danger isn't the screwed-up state bills as much as what could happen if the Kids Online Safety Act follows the same path, but without the gross bill-writing incompetence.
That_Crazy_3983@reddit
In all honesty I do not live in a place that is even near receiving laws like that, and honestly I would probably not comply at all, this law is absolutely ridiculous anyway. There is no way that the laws of one county will affect the entire world, especially not a law this nonsensical and I definitely will not comply
HeWhoThreadsLightly@reddit
Develop new apis at a pace that makes the pace of Javascript framework development look like the C language committee.
Have a breaking abi and api change every update, have the requester submit a lamda that has to interact with some rapidly updating and undocumented virtual hardware. We have to stay on the blending edge to keep the kids and the internet safe.
MegaChubbz@reddit
I like where your heads at but wouldn't this be more of a punishment to developers rather than large tech companies or greedy, technologically illiterate politicians who are trying to line their pockets?
Like most developers would just choose to not implement Linux compatibility if it's so much more work for them, leading to lower adoption rates and doing the opposite of what the intention is.
I'm not sure if my take is totally correct, just the first thing I thought of.
tduarte@reddit
I feel like this type of approach can make law makers to propose changes to the law to be more strict and potentially make things worse. IMO the correct path here is for the people to call their representatives and fight against the law in the first place.
Right now you just need to select an age-bracket and there’s no enforcement to know if you’re lying or not.