Sacramento. The US states of California and Colorado have recently passed legislation requiring operating system providers to implement an age verification mechanism. The system is intended to take effect as soon as a user creates an account on a device. In California, lawmakers have gone a step further: the system must also cross-check registration data against public databases. The law has not yet been fully enacted, but Governor Gavin Newsom has already announced further amendments and expansions.
Where such a system is developed by a manufacturer that is a natural or legal person, compliance can be enforced. Companies such as Microsoft, Apple or Google, for Android, can be compelled to integrate such checks into their operating systems. The situation is entirely different for open-source systems such as Linux. The Californian law refers to an ‘operating system provider’ that is to be held responsible.
But who would that be in the case of Linux? The system is built on open collaboration. Although it was initiated by Linus Torvalds and first released on 17 September 1991 as version 0.01, the kernel – the core of the operating system – is now maintained by a global community. Anyone with the necessary expertise can, may and is encouraged to contribute. The source code is freely available, and thousands of developers and companies are involved in improving it.
Linux has evolved into various distributions, each developed independently. A distribution is a collection of software components delivered and maintained as a complete package. For distributions such as Red Hat, Canonical or SUSE – all Linux-based systems – responsibility can still be identified to some extent. Other projects, however, are purely community-driven. Debian or Linux Mint have no legal entity acting as a manufacturer. The case of Debian makes that clear: in the United States, there is no legal person, neither a foundation under US law nor any other entity, that could be held accountable for the distribution.
No intention of complying
The Debian community is a loosely organised collective without legal personality, responsible for maintaining and developing Debian. From the outset, the project and its derivatives have followed what is known as a meritocracy: influence belongs to those who contribute. It is almost impossible to name a contact who could be held responsible for implementing such a legally mandated feature. Anyone familiar with the Debian community can easily imagine its likely response to such legislation: ignoring it would be the mildest option. The community has always organised itself through forums and mailing lists, where the debate over age verification is currently intense.
Some participants have put forward concrete technical proposals for how such a feature might be implemented in Debian. Others reject the idea outright. Still others see the Californian law as easily circumvented nonsense that primarily serves to restrict the freedom of regular computer users. Anyone installing a free Linux distribution remains free to modify it at their own discretion.
Technically feasible, but ineffective
There are indeed viable technical proposals from within the community, some of which could offer a high degree of security. However, users remain free to remove the relevant components or simply enter a different country of residence during setup. Determining the actual location of a device is far from straightforward, making any form of verification problematic from the outset.
Many in the Debian community also argue that attempts by the state to address social or educational issues through technical means are fundamentally misguided. Debian’s defining characteristic – that it consists entirely of free software – makes such approaches ineffective from the start. There is no single, fixed version of Debian. Each user is free to configure their system as they see fit.
In the United States, the legal dimension is far from trivial. Federal courts have recognised free software as a form of free expression. ‘Free speech’ enjoys strong protection, which means developers cannot be prevented from publishing free software. At the same time, users can always remove youth protection mechanisms from open-source code.
Anyone can switch it off
Another concern within the community is that the age verification rules introduced in California and Colorado are unlikely to be compatible with European data protection laws. Every solution proposed so far raises serious questions. Debian and other free distributions therefore face an absurd dilemma: in California, they would be required to enforce age verification, while in other parts of the world they might have to disable it for legal reasons. The problem remains unresolved, not least because the location of a device cannot be reliably determined.
Many members of the Debian community consider the issue irrelevant for the project. The community, they argue, is not an ‘operating system provider’ as defined by the law. Without legal personality, it cannot be held liable, neither in the United States nor elsewhere. One theoretical option would be to ban the use of Debian distributions in California and Colorado. Yet such a move would likely conflict with constitutional protections of free expression. It would also run counter to the principles of free software. The Debian Free Software Guidelines (DFSG), for instance, explicitly prohibit discrimination against specific groups of users.
The conflict surrounding Debian illustrates how poorly conceived such legislation can be and how limited the technical understanding of many lawmakers remains. It also highlights the extent to which software and computing are still viewed primarily in commercial terms. Open-source communities, which develop a wide range of free and innovative software, cannot simply be forced into rigid regulatory frameworks. The risk is that legitimate and highly capable systems are effectively criminalised without achieving the stated aim of protecting children.