HR 8250 Nationwide Age Verification - Bill Text Released
Posted by Aurelar@reddit | linux | View on Reddit | 52 comments
The recent nationwide age verification bill now has the full text published at congress.gov:
https://www.congress.gov/119/bills/hr8250/BILLS-119hr8250ih.pdf
-The bill does not specify how ages for adults are to be verified: it leaves the implementation to the Federal Trade Commission, to be decided at a later date after the passing of the hill bill. (I was wrong in my earlier post when I thought that the bill would specify ID-based verification: it does not.
-I am not a lawyer, but I can see a potential loophole for Linux as the law is currently written. The person who controls the operating system can potentially be said to be responsible for age verification on the operating system, not the distribution maintainers, because the administrator of any Linux install has the right to view and change the source code of their install.
All that said, this bill is incredibly short and vague. It could go anywhere from here. Please contact your representatives. There is a chance the bill might never leave the committee, but we can't simply trust that it will pan out like that.
https://www.badinternetbills.com/
https://www.house.gov/representatives/find-your-representative
Cautious_Boat_999@reddit
I predict Linux distros will start moving their distribution points to countries without these draconian ID laws.
bytecode36@reddit
I predict states and the U.S. will eventually require websites to validate ages from the OS. If you OS does not provide this information you are blocked or set to "under 13" mode by default.
Ghost_x_Knight@reddit
The laws will have to go through court challenges, and there are strong arguments against these laws based on the US constitution.
The vast majority of federal standalone bills get ignored and die quietly. Congress spends the majority of its time on omnibus bills that bundles dozens of unrelated laws. The likelihood of the federal bill passing is low unless it gets bundled into an omnibus, or it makes national news and is considered high-priority by party leaders.
Setting aside that the bill is vague enough to apply to smart fridges, smart watches, and modems/routers, even the strictest version of age verification laws are unenforceable on open source PCs. The websites' needs for verification tokens for access is bypassable with VPN, as long as age verification is not imposed globally and on each US state, which is unlikely to happen.
mikeypi@reddit
‘The term ‘‘operating system’’ means software that supports the basic functions of a computer, mobile device, or any other general purpose computing device.’ So, probably not refrigerators or modems.
xsrvmy@reddit
It is sufficiently vague that someone could argue that anything turing complete counts, although I question if that will ever stand up in court (since you can't verify age without internet for example). The definition should at least clearly require unrestricted access to the internet.
Away-Lecture-3172@reddit
Most likely to boil down to a short whitelist of locked down operating systems where you peasant cannot have root access.
KnowZeroX@reddit
That would be terrible and can easily misused and abused. If your site can tell the user is above a certain age, it can then also tell the user is below a certain age.
zlice0@reddit
ok but linux foundation is a USA 503c isnt it
KnowZeroX@reddit
Strictly speaking, linux is not an operating system though, it is a kernel.
huskypuppers@reddit
It's the same issue as firearms: for purposes of enforcement, what is regulated as "the gun"? Because other anyone could just buy all the separate components unregulated and assemble them.
For a firearm, the frame/receiver (or the receiver containing the fire control group in the case of split receivers) is legally considered "the gun". In the case of an OS I think one could make an argument that the kernel is "the OS" as it the main interface between other software and hardware.
This would be straight forward for binary distribution but is complicated by the fact that source code is considered protected speech under the First Amendment and that the First Amendment also prevents the government from compelling speech. So in theory kernel development itself (ex. Linux Foundation) would be fine but distros themselves (except projects like Gentoo) would have issues.
L1qu1d_Gh0st@reddit
Sounds like a kernel foots the bill.
DoubleOwl7777@reddit
so does any driver...any firmware. literally anything.
zlice0@reddit
ya, see my post below. do you think these ppl would understand or care about the gnu/linux copy-pasta?
Business_Reindeer910@reddit
the european folks are attempting to do the same thing . there wont' be many countries left.
Cautious_Boat_999@reddit
There will be a Switzerland-esque “neutral nation” - how about Sealand? ;)
Business_Reindeer910@reddit
neutral nation doesn't matter if that nation is known to have such content. it will just be blocked by everyone
mkosmo@reddit
Sealand isn't a real country, fun aside.
BeautifulMundane4786@reddit
Most Linux distro websites are international. The American government can try to force the ISP’s to block them but it can easily be bypassed if you have a vpn or use tor.
BlkCrowe@reddit
Until they require age verification to use a VPN. Then it becomes a chicken and egg scenario.
zlice0@reddit
best i can see is the argument of the gnu/linux copy-pasta but i dont think these ppl understand that and idk how well "the OS is a distributed effort" would play out in court
mmarshall540@reddit
This is bad. It's overly broad, and it puts the FTC in charge of how Linux is developed.
Aurelar@reddit (OP)
It's also potentially sneaky. Think about it: there's no mention of ID-based verification in the bill, but the bill gives authority to the FTC to decide how age verification will be implemented. So, it is in a sense a blank check that can be interpreted as the FTC desires. They could pass the bill, and then the FTC could come out saying that ID will be necessary, and they will already have the authority to make it happen.
Again, I am not a lawyer, but I think this is how it could work.
mikeypi@reddit
That is how it works. In fact, that's how most laws are implemented. Which is why regulatory bodies are sometimes called the largest branch of government. But there are limits. The FTC has to stay within the intent of congress. Probably not a lot of comfort here, but the public will be asked to comment and the FTC generally has better technical people that Congress does.
bradleyjx@reddit
Though iirc that got more-complicated recently; since Chevron deference was explicitly-overruled, courts have the final say as to what that intent is, and there is no longer explicit deference to agencies like the FTC as to what that intent looks like in practice.
mikeypi@reddit
That's my understanding too. There is less deference to agencies. But that could be helpful here too. At the very least, it stop the FTC from expanding the scope of this law to future tech.
Away-Lecture-3172@reddit
I think that's the idea actually, if they put it right now they will have much more questions and problems. If FTC adds it later, who do you fight congress? FTC? Someone else?
huskypuppers@reddit
This is very, very interesting and something we need a legal opinion on.
If you can't stop people from compiling parts (or the entirety for that matter I guess) of their operating system (which you legally can't with GPL-compatible licensing) and using those binaries instead of those provided by the OS provider, I don't see how the OS provider can be held liable. It's similar to the argument of an engineer designing a code-compliant building, the constructor building a code-compliant building, then the owner doing whatever they want after the fact that makes the building non-compliant.
This might also become similar to the gun argument in the sense of "What part is the gun?": What part of the OS is "the OS"? Is it the kernel? The init system? Something else? If I have Red Hat and start replacing it, at what point is Red Hat / IBM no longer liable? Or conversely, if I download Fedora packages and re-pack them for Ubuntu, at what point does liability switch from Ubuntu to Red Hat? Ship of Theseus and all that.
What about all those Linux ISOs you're seeding, does that make you an OS provider now?
I'm not even American but I'm sure it'll come to my country at some point and it is legally very interesting. Extra twist in the US being that source code is protected by the First Amendment so the government can't stop that unless it gets overturned. Are we going to enter the Age of Gentoo and source-based distribution?
ddyess@reddit
I already emailed my representative and will likely be calling as well.
aliendude5300@reddit
It's not a law until it's passed. Don't be mistaken, we can convince them not to pass this. Contact your representatives.
Adventurous_Wash1785@reddit
Really wish they would stop with these vague bills that just punt implementation details to agencies later. The FTC having to figure out age verification after the fact is gonna be a mess
Also that Linux loophole thing is interesting but probably won't hold up once lawyers get involved. They'll just say distro maintainers are still "facilitating" access or something
Aurelar@reddit (OP)
This part in particular is a bit spooky:
(c) REGULATIONS. — (1) IN GENERAL. — Not later than 180 days after the date of the enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to carry out this section, including regulations relating to the following:
(a) How an operating system provider can—
(i) verify the date of birth of a parent or legal guardian described in subsection (2)(A)
How is the operating system provider going to know who is a parent and who isn't?
ddyess@reddit
By requiring a government ID to a 3rd party verifier, so they can track who is using what device.
KnowZeroX@reddit
It both has its ups and downs, obviously vague laws have the issue that they can be altered at any time with little notice by non-elected officials, but also has the benefit that technically illiterate congress isn't making specifics and leaving it to an agency which should have experts in the field.
mmarshall540@reddit
Here's what I sent to my Congressman just now. Feel free to use it or expand on it (or even edit it down). I'm tired from work, so I probably rambled a bit much...
Dear Rep. [insert name here]
I am writing to voice concern about HR8250, which was recently introduced by Reps. Gottheimer and Stefanik.
This Bill seems to assume that all "operating system providers" have deep pockets, enabling such developers to comply with what will ultimately become a complex regulatory framework that will require employing lawyers just to write a program or distribute a computer operating system cobbled together from free and open source software.
According to distrowatch.com, there are at least 560 active free and open source operating system distributions based on Linux, BSD, or other technologies. Microsoft's Windows, Apple's MacOS, and Google's Android are no longer the only games in town.
These alternative operating systems have recently seen increased adoption by people who want to escape from the proprietary world of Microsoft, Apple, and Google which treats them less and less like the customer and more and more like the product. Many people are making this change because they want increased freedom, privacy, and protection from being spied on by commercial interests who trade their personal information as a commodity.
Most alternative operating systems are based on the Linux kernel, which Linus Torvalds wrote in the early 1990s while a university student. And today, those who combine the Linux kernel with various other packages of free and open source software to create full-fledged operating systems usually begin doing so as hobbyists. Most do it for the love of the craft and to serve the community, not as a way to get rich.
"Slackware Linux" is currently the oldest such operating system. It was created in the mid-1990s by Patrick Volkerding, who still maintains it as an individual developer, though with help from others around the world.
"Debian Linux" is another such operating system. It is maintained and developed by a worldwide network of volunteers who donate their time to improve the project by writing documentation, packaging software from other sources, and even ensuring compliance with applicable government regulations, which are currently very few.
It is important to protect this area of innovation. It is literally how the world wide web came into being. Today Linux-based operating systems host over 95% of servers on the world wide web. In the area of desktop usage, their share is well below 10% but growing very fast.
We need to help encourage this growth and not get in its way.
A company like Microsoft or Apple or Google can afford to manage increased requirements. They can employ teams of lawyers, auditors, and other professionals to ensure that their "product" complies.
But to many of the people who drive Linux (and other open source technologies) forward, it's not a product. These people are benefiting all of us, often receiving little if any compensation for their efforts. We should make it easier for them, not harder.
Thank you.
Aurelar@reddit (OP)
It might be a good idea to print some copies out and mail them through snail mail too. The email letters might be easy to ignore. You could also call later on to see if they were at least received. You should know that each Congressman has offices both locally and in DC, and you can send a copy to each.
redsteakraw@reddit
Both Cosponsors of this bill got Millions from AIPAC. This is cross party but AIPAC aligned reps.
warserpent@reddit
This bill is being pushed by Zuckerberg and Meta, not AIPAC.
Khaos_the_Void_@reddit
I hope you don’t mind me leaving this here. Here is a template for contacting your representative, please feel free to edit or correct any way you wish.
It has come to my attention that, House Resolution 8250 "Parent Decide Act" has been introduced. This act is for the verification of age for computer operating systems, "OS" for short, it requires an age verification system for any and all OS regardless of what device is being used. With current technology this act, if passed, could pose multiple issues. Some of these issues include: an increased risk of data breaches, issues with open-source OS; such as Linux, age verification on devices that are not normal required, and potential privacy violations. The first issue I bring up is the increased risk of personal data breaches. As proven by the - insert data breach information here - , securing data and access to said data is vital to both personal and national security. With this bill all americans will be required to provide sensitive data to a multitude of companies. These companies cannot guarantee the security of the data provided, which could put millions of americans at risk of identity theft. Birthdate information is sensitive data as it is often used to verify a persons identity for things like: - insert sensitive data usage here -. With the requirement that all OS collect this data, this act will spread that data to multiple companies which increases the possibility of that information being stolen. The second issue involves open-source, and custom OS. Some operating systems are open-source, which means that there is no centralized entity to verify age to. The most notable of these types of systems is Unbuntu, which is a Linux based open-source OS that is used for both industral and personal computers. H.R. 8250 would essentially make the vast majority of these Linux OS illegal as there is no way for the law to be followed. Since open-source OS lack the same structure as companies such as Microsoft, and Apple there is no way for open-source OS to comply with any of the age verification requirements. This would give structured companies an unfair advantage in the market; as well as force open-source OS users to switch to large corporate entities such as Microsoft or Apple. This bill would also mean that hobbyist or open-source programers making operating systems or customizing their own software could face legal issues as their project may violate the law, due to an inability to implement age verification in the aforemention OS or software. The third issue with this bill is the number of devices that have individual operating systems. Due to the prevalence of technology in society, this bill, may require devices that should not require any sensitive data for use, to now verify the age of a user. While some devices like computers, tablets, and smartphones will fall under this bill; other less obvious devices may also be effected. Smart TVs, Smart Refrigerators, Smart Washers/Dryers, even Vehicles and Smart Homes all have their own operating systems. This bill, if passed, will require age verification for all OS to include the aforementioned devices. This will place an undue burden on the American people as each individual device will have to verify any users age. This also goes back to the first issue, having that many devices being given sensitive data increases the chance of that information being compromised. The final, but most important, issue is the potential abuse of the information being given. The majority of technology companies have an existing conflict of interest with privacy and the selling of personal user information. This bill will be the largest amount of user data ever given to technology companies. It will not only confirm each individual user but also provide them with age demographics as well. This data can and will be sold. For each device verified, another company can potentially sell that information to advertisers, private data brokers, or other entities with an interest in that data. Applications on a device will also be able to collect that data and use it for targeted marketing, to resell that data to another third-party, or in a worst case be stolen by malware posing as an application. This is a real threat to individual privacy as it will essentially give away sensitive information about adult users and their children. As it stands now technology companies are already collecting vast amounts of user data, this bill will allow these companies to tie users to an individual device. This means that those companies can and will harrass users with highly targeted advertisements with no way for an individual to stop them from doing so. Due to the nature of this bill, the company that owns the operating system is required to collect this data, which means that individual will not have the option to opt-out of sharing this information. Which means that there is no way to prevent the collected data from being shared or sold. It removes the agency of the individual as it takes away their right to privacy. The bill itself has no protections from the sharing or selling of the gathered data. It also states that applications will be able to access the given user data, which will drastically increase the potental of a data breach. H.R. 8250 "Parents Decide Act" is not about safety by any means. It is an attempt to gather sensitive user data for the sole purpose of advertising and data harvesting. It should not be allowed to become law as there are too many risk to Americans and almost no safeguards against the abuse of the data collected. This bill, if allowed to become law, will give technology companies the ability to individually target users across any device they own. There is a possibility that this targeting could eventually devolve into harrasment as these technology companies will push advertisments from one device to the next. Imagine getting an advertisment on your phone, then your smart tv, then your smart refrigerator door, its the same advertisement each time, you cannot avoid the advertisement as it knows your devices. The advertisement knows; who you are, where you are, how old you are, and much more about you. This is a possible outcome of H.R 8250, highly targeted, invasive advertisements. In closing, I would ask that you vote no if and when the time comes. This bill is insuffient, there are too many devices that could fall under this bill, it opens Americans up to risks and dangers that will be out of their control, it shares sensitive data without any safeguards from data selling or sharing, and it actively allows technology companies to cyber-stalk users across every and any smart device that they own. Technology is everywhere now, and as such it becomes impossible to avoid or live without. Please don't let this bill become a law.
Jumpy-Dinner-5001@reddit
Doesn’t look too bad. It’s just simple parental controls, nothing special.
zlice0@reddit
except it explicitly states 'verify age' which could be super broad ranging from completely useless to face scans or ID - the later having no infrastructure to do so especially for open source. not that the linux foundation doesnt have money to bankroll that but.
Jumpy-Dinner-5001@reddit
That’s not how it’s euren written. Users over 17 are not required to verify any age.
zlice0@reddit
"verify the date of birth of a parent or legal guardian described in subsection" along with the section title "SEC. 2. REQUIRED AGE VERIFICATION FOR USERS OF OPERATING SYSTEMS." sure seems like it to me?
Jumpy-Dinner-5001@reddit
Still, only underaged users.
antidense@reddit
The more laws, the less justice
Several_Clients@reddit
Are you against the Civil Rights Act? Or laws that make murder illegal?
DoubleOwl7777@reddit
incredibly vague, essentially allowing the ftc to do whatever they want. nope. fuck them. if you live in the usa preassure your reps.
dialtd@reddit
This is a near-perfect, although extremen example of the casual way our Representatives and Senators approach their sworn duty to "support and defend the Constitution of the United States against all enemies, foreign and domestic... [and] well and faithfully discharge the duties of the office on which I am about to enter." Conceiving that "something must be done" about what they think is a problem, they introduce a bill (that they will tout in their next campaign) that authorizes and directs the Executive Branch to write the rest of the law to suit its fancy.
Many of us are now horrified by Presidential actions that plainly trample rights and liberties we thought Constitutionally protected. Those of us who are not, maybe because they believe those actions serve a greater good, should imagine what such legislative incompetence and fecklessness will bring under an equally energetic President with policies they oppose.
All of us should oppose this and similar laws, and replace their authors and legislative supporters with others who will take their offices and oaths seriously.
Existing-Tough-6517@reddit
For fucks sake mandate new computer sold to end users which include an OS have a particular feature that way you make a mandate that Dell can in turn require be fulfilled by Canonical and Microsoft but not
Existing hardware or refurbished Random open source projects Components like the kernel which cannot possibly fulfill it
dvtyrsnp@reddit
it's seriously not THAT hard to get this law right.
mandate that commercial OS in personal computing devices include by default a centralized parental control feature and and mandate that commercial appstores respect that parental control feature. that takes care of the problem we should want to be solving without having to deal with privacy concerns or stupid stuff like "does my calculator need to verify age?" "is github an appstore?"
we can't afford to be broad in the language with a law like this. you should be writing to the representatives on the committee that will be handling this bill, not just yours.
etrigan63@reddit
I contacted my representatives before the text was published. This has to be stopped and stopped now.
LordAlfredo@reddit
Better start vetting those TI calculators.
zlice0@reddit
"An operating system provider, with respect to any operating system of such provider"
yep, they start of with the immediate indicator they don't really know what they're talking about. shut down all the power plants and water facilities.
this is such a nothing bill like some of the others individual states have made... and they show it with the whole 180 days / 18 months thing. they don't know what theyre doing, they think they want something but dont even seem to know what or how bad it will play out. kind of reminds me of banking places wanting block chain for every transaction, ya, no you dont