Senate Bill 26-051 reflects that pattern. The bill does not directly regulate individual websites that publish adult or otherwise restricted content. Instead, it shifts responsibility to operating system providers and app distribution infrastructure.
Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established. The provider would then generate an age bracket signal and make that signal available to developers through an application programming interface when an app is downloaded or accessed through a covered application store.
App developers, in turn, would be required to request and use that age bracket signal.
Rather than mandating that every website perform its own age verification check, the bill attempts to embed age attestation within the operating system account layer and have that classification flow through app store ecosystems.
The measure represents the latest iteration in a series of Colorado efforts that have struggled to balance child safety, privacy, feasibility and constitutional limits.
I’ve been a longtime mobile and web developer, have a teenage kid with a phone, and am a big privacy advocate (card-carrying member of ACLU and EFF). As a parent, I don’t want my kid exposed to cyber-bullying, toxic social media, or algorithmic bullshit.
And I will tell you this: the operating system is 100% where you want to do age verification.
I don’t want individual social media sites, dodgy third-party orgs, or government agencies scanning our faces or IDs. Under a family sharing plan, the OS already knows how old the kid is. Any site wanting to gate access can privately ask the OS if age > X without spilling their PII. Same concept as OAuth. An opaque, encrypted token indicating GO or NO-GO.
Raging that they shouldn’t do any of this is just idiotic. Unfettered access got us CSAM, kids getting radicalized, or bullied to the point of self-harm. Fuck that.
From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.
As a software engineer that works on virtualization and is interested in software freedom, this law terrifies me because it’s a trojan horse for something much much worse than the already shitty status quo: remote attestation.
No, it’s the last place you want to do this check. Let me explain: because users control the PCs they buy right now, meaning they can install any OS and programa the so wish to install; governments at some point will decide that they cannot trust the results given by any OS.
The only way for governments will be to actually trust third parties (again) that will check properties in your computer through a module that controls the whole computer and users don’t have access to.
This is called remote attestation: https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1
With this technology, users don’t decide what programa they can install and run, they can’t even decide what websites can they visit.
It’s a brutal encroachment on the computer freedom you have enjoyed up to now, and the perfect tool for an authoritarian government to enforce what can you watch and in general, can do with your computer.
If this law is approved, I guarantee you it will spread and will have expanded versions requiring remote attestation. (Don’t worry, lobbyists will find a way to sell remote attestation preserves privacy to make it go down easier)
The end result is a nightmare-fueling scenario where someone like Peter Thiel through Persona not only has your information because it needed to verify to create the account in your computer, but Microsoft also has it, and governments through Microsoft may decide to limit which platforms you can access (X or something worse), if also if you’ve been a bad citizen, if you can run programs in any computer that can be legally sold.
All in all, this law is incredibly dangerous in the current political climate where even supposedly democratic governments are pushing for more authoritarian controls to digital life. And I’m surprised organisations like EFF haven’t seen this yet
Oh, what’s that you’re using? It’s Linux? Sure that’s fine, just make sure the age verification check works on it.
Wait, what do you mean you have “root access”? Why do you keep repeating “it’s my hardware and I own it”? You removed the age check system? You can do that! Hey, he’s not supposed to be able to do that!
Colorado proposes bill to ban open source operating systems
As a parent, systems and web developer of both open source and proprietary software. This would single-handedly be one of the most damaging things to ever happen to the world of personal computing.
It’s a horribly bad opinion. It’s the same old problem with client-side anti-chest. You can’t trust the hardware. If the user has full access to the computer, then they can do whatever they want with it. This is a core issue in security modelling. So what’s the answer? Try to lock down the system. This is why anti-cheat software, to play a video game, has more access to your computer’s hardware than you do as a user. Full access to every single file, data in memory, webcams, things on screen, etc.
What’s going to happen if it becomes mandated that age checks must happen in the OS? We’re going to get computers so locked down that you won’t be able to open a .txt file without some kind of authentication check.
No thanks. I’m happy to avoid every single age-check required service.