Support us on Patreon
PayPalThe US-wide operating system age verification bill we covered recently, the "Parents Decide Act", now actually has the bill published to read.
As a reminder - this bill has not yet passed, it has only been introduced and so it could change a lot before being approved, or it could get thrown out. It's early days yet but the important bit to remember is that it has bipartisan support across both the Democrats and Republicans.
The bill H. R. 8250 actually seems somewhat reasonable, especially compared to some other state-specific bills that we've seen. In this case, they only want you to enter your date of birth to confirm that you're over 18.
If you're under 18, you'll need a parent or guardian to verify a date of birth. It also requires a system for application developers to access this date of birth and to store the information securely. And, additionally, have features for parents to control what under 18s can access on a device.
What they don't say, is how a parent would verify a date of birth, it seems a quite ambiguous on that. Presumably, unless they do plan to expand on that, it would just use the honour system of a parent ticking a box and entering their date of birth to confirm.
This act would cover every single operating system. They define it pretty clearly too as "software that supports the basic functions of a computer, mobile device, or any other general purpose computing device" and providers they define as "a person that develops, licenses, or controls the operating system on a computer, mobile device, or any other general purpose computing device" - which is incredibly broad on who and what this applies directly to.
Remember though - if such a bill passes (and similar bills have already passed in certain US states), it's just a first step to be expanded upon and things can get much worse for our own control and privacy. First it's date of birth storing, next it's ID scanning and more. We all know how these things end up.
And, even if you're not in the US, these types of acts will still affect you due to how a large part of the tech industry is based in the US.
Article taken from GamingOnLinux.com.
About the author - Liam Dawe
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
20 comments
It doesn't make sense to have this kind of data attached to a device like a computer. My kids will just as happily use Grans computer (or ours) as the school computer to fiddle around on Scratch for example.
None of the computers are "theirs", they are not the primary users.
In what world do they expect even well off people like us to provision a separate computer for each person? The kids don't need their own thing, they also shouldn't have unfettered access to screens, so they won't get their own system until they can acquire one themselves.
None of the computers are "theirs", they are not the primary users.
In what world do they expect even well off people like us to provision a separate computer for each person? The kids don't need their own thing, they also shouldn't have unfettered access to screens, so they won't get their own system until they can acquire one themselves.
9 Likes
What if I want to use my device offline? Never connect it to the internet. Old game consoles?
Just this single requirement has already so many problems attached to it.
Just this single requirement has already so many problems attached to it.
7 Likes
StalePopcorn a day ago
Big tech will have nigh universal, preemptive permission to assume indemnity because said user claimed to be an adult via operating system attestation. It's for the chiwwwdrin! 🙄
3 Likes
This is the "foot in the door". Once the opening is established then we all know what will follow.
Very, very sad and frustrating times lay ahead.
Very, very sad and frustrating times lay ahead.
7 Likes
Quoting: Savor592What if I want to use my device offline? Never connect it to the internet. Old game consoles?The law actually doesn't seem to specify being online.
Just this single requirement has already so many problems attached to it.
It puts limits on how this data when shared online should be used, but not that it must be shared online.
1 Likes
Quoting: grigiIt doesn't make sense to have this kind of data attached to a device like a computer. My kids will just as happily use Grans computer (or ours) as the school computer to fiddle around on Scratch for example.It's not attached to the computer it's attached to the user account(poor FreeBSD doesn't have accounts)
None of the computers are "theirs", they are not the primary users.
In what world do they expect even well off people like us to provision a separate computer for each person? The kids don't need their own thing, they also shouldn't have unfettered access to screens, so they won't get their own system until they can acquire one themselves.
1 Likes
My review.
+ Totally implementable.
+ not a giant big tech boon.
+ simple law
- easy to circumvent.
- I don't trust them to not turn this in something problematic.
- also applies to IOT and servers.
This will mostly result in the automation of these cookie banner like age gates.
+ Totally implementable.
+ not a giant big tech boon.
+ simple law
- easy to circumvent.
- I don't trust them to not turn this in something problematic.
- also applies to IOT and servers.
This will mostly result in the automation of these cookie banner like age gates.
1 Likes
Quoting: LoudTechie- also applies to IOT and servers.This is the funniest part. Whose age should I set on the fridge? Mine, or the yogurt's? 😆
Anyway it's nothing particularly new. When I set up gmail accounts for my kids, I just added 10 years or whatever, so they don't get blocked from accessing stuff and I don't get pestered with requests for permission or whatever. If I installed such age-requiring OS today, I would do the same.
5 Likes
Quoting: pbYours.Quoting: LoudTechie- also applies to IOT and servers.This is the funniest part. Whose age should I set on the fridge? Mine, or the yogurt's? 😆
Anyway it's nothing particularly new. When I set up gmail accounts for my kids, I just added 10 years or whatever, so they don't get blocked from accessing stuff and I don't get pestered with requests for permission or whatever. If I installed such age-requiring OS today, I would do the same.
The issue is more do you want to do that for your doorbell, your fridge, your car, your bike lamp and your thermostat. That'll be a lot of work.
I think point of sale settings might be legal in this sense, but would telling your birth date when buying things.
All I can hope in this sense is that I misunderstood:
General purpose computing device to mean a device that can do any computing task, instead of is designed to do any computing task.
0 Likes
Watch out! Your local congress critters are spitting up again. Someone get them a new rag, maybe a new diapy, and a nap. They're confused as to how anything works anywhere in the earth again. Same as a 1yr old!
0 Likes
In Bible is text: "At the end of the world, children will turn of they parents".
I do not known, why operating system should provide check boxes to allow/disallow what children can do? I understood why creating API to ask how old child is, but criteria OS should provide check boxes? How to implement this, what rights should be settable, etc?
I do not known, why operating system should provide check boxes to allow/disallow what children can do? I understood why creating API to ask how old child is, but criteria OS should provide check boxes? How to implement this, what rights should be settable, etc?
0 Likes
Quoting: LoudTechieIt's not attached to the computer it's attached to the user account(poor FreeBSD doesn't have accounts)They don't have their own accounts either. How many home PC's actually have separate accounts? I mean houses where chaos rules?
Virtually zero, that's what.
That's my point.
0 Likes
Quoting: LoudTechieMy review.Prepare for the logrolling to begin. I doubt this bill will stay simple for long.
+ Totally implementable.
+ not a giant big tech boon.
+ simple law
- easy to circumvent.
- I don't trust them to not turn this in something problematic.
- also applies to IOT and servers.
This will mostly result in the automation of these cookie banner like age gates.
Last edited by naimad on 16 Apr 2026 at 3:46 pm UTC
1 Likes
spacemonkey 24 hours ago
The EU actually just released an app that enabled users to proof their age to an apps or website. This enables the user to stay completely anonymous, only the minimal required information is passed on to the app or website.
https://commission.europa.eu/news-and-media/news/european-age-verification-app-keep-children-safe-online-2026-04-15_en
US take not please. We don't need your BS.
https://commission.europa.eu/news-and-media/news/european-age-verification-app-keep-children-safe-online-2026-04-15_en
US take not please. We don't need your BS.
1 Likes
PlayingOnLinuxphone 20 hours ago
Quoting: spacemonkeyonly the minimal required information is passed on to the app or website.Which is already the maximum amount of information passed to the app or website. If you are under 18 you will switch that date once you become mature, so they know exactly your birth. For us adults no issue so far, but for all upcoming generations it means a fully transparent birthday.
Can't we just begin to teach our kids first? Where is the talk about improving schools? They could learn stuff that is also useful as adult, not just as child.
2 Likes
Quoting: grigiA. From that point it's the parents decision, since it costs nothing to make extra accounts. Making this a "parents decide" thing.Quoting: LoudTechieIt's not attached to the computer it's attached to the user account(poor FreeBSD doesn't have accounts)They don't have their own accounts either. How many home PC's actually have separate accounts? I mean houses where chaos rules?
Virtually zero, that's what.
That's my point.
B. We might be encountering my privileged upbringing here. My parents had the tendency to maintain separate account for the device owner and the rest of the family, so I assumed this to be common practice. Help with account setup could be included with the maternity care.
0 Likes
Quoting: spacemonkeyThe EU actually just released an app that enabled users to proof their age to an apps or website. This enables the user to stay completely anonymous, only the minimal required information is passed on to the app or website.But a lot of trust is still placed in the company that manages the national digital id system of your nation and your nation(they suddenly know which 18+ sites you visit by who requests it).
https://commission.europa.eu/news-and-media/news/european-age-verification-app-keep-children-safe-online-2026-04-15_en
US take not please. We don't need your BS.
It's 10 times better than the 10 most common ways to do age verification, but it's still scary. Although you won't hear me arguing it's impossible to avoid this porblem. It's still a problem..
0 Likes
Quoting: PlayingOnLinuxphoneThat's the current design and is only hampered by the fact that not everybody celebrates their 18th birthday by doing online 18th birthday specific things.Quoting: spacemonkeyonly the minimal required information is passed on to the app or website.Which is already the maximum amount of information passed to the app or website. If you are under 18 you will switch that date once you become mature, so they know exactly your birth. For us adults no issue so far, but for all upcoming generations it means a fully transparent birthday.
Can't we just begin to teach our kids first? Where is the talk about improving schools? They could learn stuff that is also useful as adult, not just as child.
That's not the only possible design though.
One can use rate limits and artificially induced latency to fight that.
A great way to limit the damage would for example be to make certain that age checks can only happen on a certain time interval.
Say for 1 day every month.
Also this assumes one can form a trustworthy pseudonymous profile of the target.
Edit:
[It's open source, so adding this feature is feasable and legal.](https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui).
Last edited by LoudTechie on 17 Apr 2026 at 9:09 am UTC
1 Likes
PlayingOnLinuxphone 2 hours ago
Quoting: LoudTechieThat's the current design and is only hampered by the fact that not everybody celebrates their 18th birthday by doing online 18th birthday specific things.Oh yes, than you are non of the people at this one day, but one of the 28-31 days bracket. Makes it so much more unlikely that they collect this data. /s
[...]
A great way to limit the damage would for example be to make certain that age checks can only happen on a certain time interval.
Say for 1 day every month.
In fact, that blurs the data just a little bit, but it is still close enough that they can separate these persons from 99.9% of the world. So companies only need further information to find out who of the 0.1% of all people are that person. Without the one months idea it would be more like 0.01% (because as you say people are probably not online at their birthday). It is indeed better, but I think it is clear that "better" doesn't mean much more protection.
Edit:At least something EU learned (making such tools open source). Yes I read it before. But it does not help against any of the bad things. For example if I would be a bad person, I could create an account for "my child" that is not existing and use it for myself to get merged to kids chats more easily etc.
[It's open source, so adding this feature is feasable and legal.](https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui).
The only way that is really feasible is to not send any data to any service. The services should provide age data themselves, so that a local parent control app can manage app access without exposing information to the companies. There is still a chance that some apps can get the age, but it is more likely to avoid exposing data entirely.
That app feels like the stupid attempt for the digital Euro, which exposes too much information (unlike GNU-Taler). The EU commission may learned something about Open Source, but still not enough to design good digital strategies. They should learn about data minimalism before creating such plans.
0 Likes
Quoting: PlayingOnLinuxphoneWhy your solution is worse than the eu app and violates your own "no data transfer" rule:Quoting: LoudTechieThat's the current design and is only hampered by the fact that not everybody celebrates their 18th birthday by doing online 18th birthday specific things.Oh yes, than you are non of the people at this one day, but one of the 28-31 days bracket. Makes it so much more unlikely that they collect this data. /s
[...]
A great way to limit the damage would for example be to make certain that age checks can only happen on a certain time interval.
Say for 1 day every month.
In fact, that blurs the data just a little bit, but it is still close enough that they can separate these persons from 99.9% of the world. So companies only need further information to find out who of the 0.1% of all people are that person. Without the one months idea it would be more like 0.01% (because as you say people are probably not online at their birthday). It is indeed better, but I think it is clear that "better" doesn't mean much more protection.
Edit:At least something EU learned (making such tools open source). Yes I read it before. But it does not help against any of the bad things. For example if I would be a bad person, I could create an account for "my child" that is not existing and use it for myself to get merged to kids chats more easily etc.
[It's open source, so adding this feature is feasable and legal.](https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui).
The only way that is really feasible is to not send any data to any service. The services should provide age data themselves, so that a local parent control app can manage app access without exposing information to the companies. There is still a chance that some apps can get the age, but it is more likely to avoid exposing data entirely.
That app feels like the stupid attempt for the digital Euro, which exposes too much information (unlike GNU-Taler). The EU commission may learned something about Open Source, but still not enough to design good digital strategies. They should learn about data minimalism before creating such plans.
Spoiler, click me
Letting the services collect the data themselves is only worse, because they will still know when you crossed the 18+ line(as ordered by you they've obtained this information themselves) and now they will also know whatever information you was provided to them, so they could figure this information out themselves.
The EU app blocks the transfer of the second set of data by centralizing this information by a party that already must have access to this information(this same database is used for the production of your id and all kinds of other government services reliant on date of birth). This is data minimalisation.
Your first point was that minimal data was too much, your second point is that everybody should collect minimal +1
Spoiler, click me
Yeah, duh that's out of scope and thus part of the data minimalization.
This app is supposed to provide proof that you're an adult. Not that you're underage and/or trustworthy.
None of the age gating laws require anyone to proof a maximum age(and none of kids group apps do either), because we know kids harm each other just as hard as adults harm them, so we provide them with adult supervision instead. It's just that adults should know better than to harm a kid, while kids don't have to.
Spoiler, click me
The one thing I have a problem is that the government receives information about private activities of its citizens these citizens often would love to keep private("adult" consumption isn't something everybody is proud of), which is why I made the design I made before.
Spoiler, click me
The requirements for a privacy respecting arbitrary static property verification system are that:
System abuse and it's prepretators can be detected.
The way it's used isn't detectable to the verifier of the static property.
The identity of the user isn't revealed to the ones who make the uses possible.
The hashsing algorithm I will be using is sha256, because I can assure that ids will be unique and unrelated.
I will be using the proven slow prngs, because the qualtity of this protocol falls and stands with the qualtity of a prng
The verifying party randomly generates n ids.
The verifying party runs each of the id's through the pseudorandom generator and generates (n-1)*p codes based on it.
It divides this set up in (n-1) subsets, one for each other ringmember.
Each of the subsets is labeled with a within the ring shared pseudonym for one of the other ringmembers.
The codes are send to the individual.
After which it's added to a pool of similarly labeled sets of the other ringmembers, here they are pooled together without saving to which member they originally belonged.
In total n*(n-1)*p=np(n-1)=n^2+pn-n-p codes are generated.
For each receiving server a seed is generated by the verifier and each of the codes is hashed with this seed as pepper.
This set of hashes, labeling and the seed is send to the receiving server, but not the original values.
When an individual connects to an age verifying server the server sends its seed and the individual randomly picks a value from the received ones and hashes it with the seed and sends that hash to the age verifying server.
If it matches the received hash with one of the hashes that hash is removed and the age is labeled as verified.
To determine potential abusers of the system the age verifying servers can simply check whether some of the n labeled subsets are getting abnormally underutelized.
If this turns out the system abusers are apperantly the ones in the underutelized sets.
After which not only the abuse, but also the abuser have been identified and appropiate action can be undertaken.
Many of these could involve reporting the abuse to some authority like the verifier.
This authority would need some proof of appropiate conduct at the side of the reporter.
The best I can offer is pseudonymous labeling for the subsets, so the reporter can't know who they reported.
To avoid birthday attacks p should be at least as large as n and probably larger, because accidentally matching a p row isn't a problem, but an n match allows one to blame other people for sharing codes.
p = 1.000.000
(n-1) = 1000
total storage use is
3 8bit bytes par sha256 hash
order can communicate subcatogrisation, since every other user has the same redundancy
n^2+pn-n-p
10^3^2+10^6*10^3-10^3-10^6=10^6+10^9-10^3-10^6=10^9-10^3=1,0000003*10^10
1,000003*10^10*3=3,0000009*10^10
around 10gb usage for the client
the servers store the hashes everybody and the seed, thus around
(n^2+pn-n-p)*n+1
1,0000009^10*10^3+1
is around 10 terabyte par server
Spoiler, click me
Yeah, that's a very smart and experimental system [as such the European commission is directly funding its development through NGI.](https://www.taler.net/en/news/)
[They also launched their own version.](https://www.taler.net/en/news/2024-01.html)
On your criticism of my proposed in app solution
Spoiler, click me
Yeah indeed small precision costs are the weakness of latency methods.
Yet A. these first precision points are also where the biggest strides can be made(you can't personalize birthday adverts, you can't scam somebody by claiming to be a relative with proof that you know their birthday, you can't pretend to be them by their doctor who uses it as part of their confirmation method, etc.)
B. Yeah, that's the issue with the principle of least privilege we can't hide more data without significantly harming functionality.
Spoiler, click me
Also something that might help a lot in this case is some form of rate limiting of requests like required user interaction and once a day.
This will amplify peoples own infrequency in adult consumption into uncertainty for the services.
Last edited by LoudTechie on 17 Apr 2026 at 3:49 pm UTC
0 Likes
How to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
How to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck