California blinks: Linux gets a carve-out from its age-check law

4 min read 1 source clear_take
├── "The Linux carve-out is a necessary but insufficient fix"
│  └── Electronic Frontier Foundation (EFF (cited in Tom's Hardware)) → read

The EFF flagged the Linux sweep problem in public comments and welcomed Wicks's amendment as a needed correction. But they argue the narrow carve-out only exempts open-source distros not tied to a covered app store — Android, iOS, Windows, macOS, ChromeOS and tied-storefront Linux variants like SteamOS remain subject to the same questionable age-signal regime.

├── "Volunteer-run distros cannot plausibly implement government age-collection mandates"
│  └── @rbanffy (submitter) and Debian Project members in thread (Hacker News, 817 pts) → view

The 817-point HN thread surfaced the absurdity of expecting volunteer maintainers of Debian, Arch, Fedora, and NixOS to bolt a legally-compliant age-verification prompt into their installers. Commenters questioned who would be the legally responsible 'operating system provider' for a community distro shipped worldwide, which is precisely the pressure that forced Wicks's amendment within a week.

├── "The OS is now being treated as a regulatable chokepoint like an ISP or payment processor"
│  └── top10.dev editorial (top10.dev) → read below

The editorial argues the most revealing aspect of AB 1043 isn't the Linux walk-back but the underlying legislative posture: lawmakers now view the operating system as a control point equivalent to an ISP or payment processor, on par with how COPPA treats websites. The carve-out preserves Linux but leaves that broader regulatory framing — OS as enforcement layer — fully intact for Android, iOS, Windows, macOS, and ChromeOS.

└── "Public pressure on poorly-scoped tech legislation actually works"
  └── Tom's Hardware reporting (Tom's Hardware) → read

The article frames the amendment as a direct consequence of community backlash — the same lawmaker who wrote the original sweeping definition proposed the fix roughly a week after Hacker News, EFF, and distro maintainers raised the alarm. The takeaway is that targeted, technically-literate public pushback can still move a bill before it takes effect.

What happened

California Assembly Bill 1043, sponsored by Assemblymember Buffy Wicks and scheduled to take effect January 1, 2027, requires operating system providers to collect a user's age at account setup and transmit an "age signal" to app stores and downloaded apps. The text, as originally drafted, defined "operating system provider" broadly enough to sweep in every Linux distribution shipped to a California resident — Debian, Arch, Fedora, NixOS, the lot. Maintainers noticed. So did Hacker News, where the story pulled 817 points and a thread full of Debian Project members asking who, exactly, was supposed to implement a government-mandated age-collection prompt in a volunteer-run installer.

After roughly a week of public pressure, Wicks herself proposed an amendment carving out operating systems that are "open source" and not "distributed in connection with a covered app store." The Electronic Frontier Foundation, which had flagged the Linux problem in public comments, called the amendment a necessary fix but not a sufficient one. The amendment text is narrow: it exempts the distro, not the architecture. Android, iOS, Windows, macOS, and ChromeOS remain on the hook, as does any Linux variant that ships with a tied storefront (think Steam Deck's SteamOS, or any vendor that bundles a paid app marketplace with their image).

The practical effect for the Linux ecosystem is that Debian's installer doesn't have to grow an age-gate dialog box, and the Arch wiki doesn't have to add a section on "compliance with California minor-protection statutes." The practical effect for everyone else is unchanged.

Why it matters

The interesting part of this story isn't that California flinched. The interesting part is what the original drafting reveals about how legislators now think about the operating system: as a regulatable chokepoint, equivalent to an ISP or a payment processor. AB 1043 treats the OS the way COPPA treats websites and the way the UK's Online Safety Act treats platforms — as the single accountable layer where identity attestation can be enforced. That framing works fine if you assume the OS is a product shipped by a company with a legal department. It collapses immediately when the OS is a tarball maintained by 1,400 volunteers in 70 countries.

This is the second time in two years that a US state has written a tech bill that accidentally illegalized open source. Last year's New York age-appropriate design code had a similar problem with self-hosted forums; Texas's HB 18 had to be amended to spare hobbyist sites. The pattern is consistent: legislatures draft for the Apple/Google/Microsoft model of software distribution, then discover six months later that they've also banned Pleroma, Mastodon, or Debian. Civil society groups catch it, the author amends, the bill passes anyway. Repeat.

What makes AB 1043 worth paying attention to past the Linux carve-out is the mechanism it normalizes. The "age signal" the OS is supposed to transmit is a structured attestation — likely a boolean or a coarse bucket (under-13, 13-15, 16-17, 18+) — passed to apps via a system API. Apple's already shipping something close to this with its age-range API in iOS 18.2; Google announced an equivalent for Android at I/O. Both companies lobbied *for* AB 1043, because it shifts the legal burden of age verification off the app developer and onto the OS, which is exactly where their existing identity infrastructure already lives. Meta, Snap, and Roblox were also supporters for the same reason: it's cheaper to consume a system-provided age claim than to run KYC at signup.

The community reaction on HN was largely a debate about whether this is good architecture or bad architecture wearing a child-safety costume. The strongest pro argument: a single OS-level attestation is less privacy-invasive than every app independently demanding a driver's license scan. The strongest con: it converts the OS into a state-aligned identity issuer, and once that API exists, the next bill will require it to attest other things — citizenship status, vaccination status, criminal record. Legislators rarely build a chokepoint they don't eventually use.

What this means for your stack

If you ship a desktop or mobile app to California users, you have about thirteen months to decide how you're going to consume the age signal. The bill doesn't require you to *enforce* anything based on the signal — that's a separate compliance question driven by COPPA, your own ToS, and any platform policies — but it does require you to be capable of receiving it. Apple's `ASAccountAuthenticationModificationController` and Google's forthcoming `AgeAssuranceClient` are the reference implementations to track. Expect both to land in stable SDKs by mid-2026.

If you maintain a Linux distro or a niche OS (Haiku, FreeBSD, ReactOS, anything self-hosted), the amendment as currently drafted appears to cover you, but "open source" is doing a lot of work in that sentence. Read the final statute carefully — specifically whether "open source" is defined by OSI license, by source availability, or by some new California-specific test. The EFF's analysis suggested the current draft uses OSI-style language, but amendments get amended.

If you're a web developer, none of this touches you yet. AB 1043 is OS-and-app-store-scoped. The browser-level equivalent is the separate Kids Online Safety Act track at the federal level and the various state "social media for minors" bills, most of which are currently enjoined.

Looking ahead

The Linux carve-out is a real win for a community that mostly survives on goodwill and unpaid labor, and it shows that loud, technically literate pushback still works on state-level tech legislation. But the carve-out is also evidence that the OS-as-identity-layer model is now bipartisan, industry-backed consensus, and the only people pushing back are the ones who happen to operate outside the commercial software economy. Texas, Florida, and New York all have similar bills drafted. When the second and third state passes one, the carve-out negotiation starts over from scratch — and the next legislature may not have a Buffy Wicks willing to amend.

Hacker News 1029 pts 457 comments

California moves to exempt Linux from its age-verification law after backlash

→ read on Hacker News
Bender · Hacker News

The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person

tzs · Hacker News

As usual 95+% of people commenting have no idea what is actually in the California law, and so are commenting about things that have nothing to do with it.Different states, countries, and multi-country organizations that have legislated in this area or are working on legislating in this area have we

neilv · Hacker News

Who is actually writing this very concerning California Internet legislation, which will ultimately affect the entire nation and world?Did someone write California Internet legislation without consulting any California Internet companies?Did some California Internet companies write California Intern

zarzavat · Hacker News

A cynical person might suspect that the reason they are doing this is so that Linux developers don't have standing to challenge the law on 1st amendment grounds...

jrnichols · Hacker News

Linux will be exempt for now. I wouldn't be at all surprised to see them try to slip it through later. Legislators in California have learned over the years, and have carved out exemptions in bills such as gun control bills to get it passed, and later classified their exemption as a "looph

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.