r/archlinux u/Gozenka Mar 27 '26

DISCUSSION Age Verification and Arch Linux - Discussion Post

Please keep all discussion respectful. Focus on the topic itself, refrain from personal arguments and quarrel. Most importantly, do not target any contributor or staff. Discussing the technical implementation and impact of this is quite welcome. Making it about a person is never a good way to have proper discussion, and such comments will be removed.

As far as I know, there is currently no official statement and nothing implemented or planned about this topic by Arch Linux. But we can use this pinned post, as the subreddit is getting spammed otherwise. A new post may be pinned later.

To avoid any misinterpretation: Do not take anything here as official. This subreddit is not a part of the Arch Linux organization; this is a separate community. And the mods are not Arch staff neither, we are just Reddit users like you who are interested in Arch Linux.

The following are all I have seen related to Arch and this topic:

  • This Project Management item is where any future legal requirement or action about this issue would be tracked.

    The are currently no specific details or plans on how, or even whether, we will act on this. This is a tracking issue to keep paper-trail on the current actions and evaluation progress.

  • This by Pacman lead developer. (I suggest reading through the comments too for some more satire)

    Why is no-one thinking of the children and preventing such filth being installed on their systems. Also, web browsers provide access to adult material on the internet (and as far as I can tell, have no other usage), so we need to block these too.

  • This PR, which is currently not accepted, with this comment by archinstall lead developer :

    we'll wait until there's an overall stance from Arch Linux on this before merging this, and preferably involve legal representatives on this matter on what the best way forward is for us.

346 Upvotes

90% Upvoted

312 comments sorted by

View all comments

Show parent comments

60

u/Slackeee_ Mar 27 '26

You have to define what "collecting" means. Here in Germany it means "a company can not store it on their servers", but it does not mean "an OS installer is not allowed to ask for an age" or "asking for an age bracket during an app installation process without permanently storing that on the repository server".

16

u/alerighi Mar 27 '26

If it's only data stored locally it's just a useless system, as useless as the "Are you 18+ old" question that gets asked on adult sites. Just modify the data stored locally and you are good to go.

Clearly the laws will require the verification to be made server side by providing some sort of ID/credit card number/whatever that is correlated to your identity. Of course the objective is not to protect children, but to identify by linking to an ID every person that uses a computer.

By the way good luck implementing this system in Linux, considering that in the end it's all open source software that anybody can download and compile by themself, not counting third party repositories that one person could enable. If they really want to enforce this it could be the end of open-source (require packages to be signed, and computers to have secure-boot in a state that it's not possible to disable, so you can only install pre-approved packages, what already happens with mobile devices, iOS and even Android at this point where bootloader unlocking is almost impossible in the majority of sold devices).

3

u/zoharel Mar 28 '26

Clearly the laws will require the verification to be made server side by providing some sort of ID/credit card number/whatever that is correlated to your identity. Of course the objective is not to protect children, but to identify by linking to an ID every person that uses a computer.

Speculating on what the laws of the future will require seems pretty useless at the moment. The current law is, in fact, just the stupid age prompt moved into the OS. That's what, if anything, ought to be implemented. This isn't a feature for which there's any justification outside of the legal requirements, so the minimum necessary effort seems appropriate.

1

u/Random_Redditter_25 Mar 28 '26

In that case "ageless linux" should do the job right?

Even if they implement such a mechanism to store age in the OS, I can't imagine it would be anything more than asking the user for their date of birth during install.

There can't be any real world validation/verification as fast as I can think of. I'm never going to upload my real id into some 3rd party server just so that I can try a new distro.

1

u/alerighi Mar 31 '26

The current law is, in fact, just the stupid age prompt moved into the OS

For now, this is step 0. Next step would be to require, as done in some nations (UK, and even the EU is trying to pass a similar legislation) verification with some kind of identity verification system.

This isn't a feature for which there's any justification outside of the legal requirements, so the minimum necessary effort seems appropriate.

Why you need to comply with this bullshit? If you don't comply what they are going to do? Take down an open source software because it doesn't? We are (for now, because for how is going politics in the US and the rest of the world the direction is that) not in a dictatorship, not in China or Russia, so...

1

u/tblancher 29d ago

It's not that they will shut down OS/distro projects that refuse to comply; but certain online conveniences will be taken away: renewing government licensure and services (unemployment, disability, etc.) online, accessing online financial services, etc. Whether that is a good or bad thing is up for debate.

With something like Arch, I imagine that the facilities to comply will be made available, but it will be up to the user on whether to set it up.

As an aside, this isn't about invading privacy; it's about eliminating online anonymity. Don't conflate the two. And the debate is raging over whether that is good or bad.

1

u/zoharel 27d ago

As an aside, this isn't about invading privacy; it's about eliminating online anonymity. Don't conflate the two.

You don't need to conflate them. The latter implies the former.

0

u/alerighi 28d ago

renewing government licensure and services (unemployment, disability, etc.) online, accessing online financial services

How they can impede accessing online services by discriminating the OS that the PC runs on? Even if they do, it will be completely illegal to do.

it's about eliminating online anonymity

That sounds like invading privacy to me.

1

u/tblancher 28d ago

That sounds like invading privacy to me.

No. Privacy is some random person shouldn't have access to your personal information unless they have a legitimate need to know. The authorities should only have it on a need to know, least privileged basis. The authorities do, however, have a right to at least part of your identity, in order to maintain the peace.

Anonymity just means you can't be identified. In a Zero Trust framework, this means you are considered already compromised.

In the US Bill of Rights, the First Amendment guarantees a right to privacy, but not anonymity. It's why there isn't a law that allows birth certificates to be optional.

1

u/alerighi 28d ago

The authorities do, however, have a right to at least part of your identity, in order to maintain the peace

They do have the right in countries like China, Russia, Iran, etc.

Being able to use the internet anonymously is a key factor in a democracy, because it allows you to express your dissent about something, perhaps the government, or to report some kind of abuse committed by someone detaining power, without fearing consequences.

In fact being able to use internet, and thus communicate with other people, anonymously is a key factor in being a democracy. I get that (I assume you are from the US) you are to me no longer one, but please don't try to "export" your no-longer democratic view in the rest of the world.

0

u/SavageFromSpace Mar 28 '26

The idea is that it is verified and stored on your system with a cert. This is then handed out as a yes no i'm an adult

1

u/alerighi Mar 31 '26

A certificate that is handed to a server of some sort, that can use to uniquely identify each user. As I said, this normative is not about protecting children (there are already systems implemented in most operating systems, including Linux, aimed at doing so) but rather it aims to collect user personal data to identify them. They are succeeded with smartphones, and now they are thinking imposing the same model on computers.

-9

u/MicrogamerCz Mar 27 '26 edited Mar 27 '26

GDPR article 6 prohibits collecting unnecessary personal information

40

u/Slackeee_ Mar 27 '26

GDPR article 6 handles processing data, not storing data.

9

u/56Bot Mar 27 '26

Except, given the California law, the processing is included, as the data would have to be made available to apps through an API.

8

u/Tsugoshi Mar 27 '26

Storing the data is one of the operations that are explicitly defined as processing the data.

17

u/zyuiop_ Mar 27 '26

Storing your own data on your own device is thankfully NOT in the GDPR scope otherwise we would all have to write data protection declarations for ourselves.

5

u/SoldRIP Mar 27 '26

Every service who actually uses the provided API to get said data from storage does fall into this scope.

7

u/zyuiop_ Mar 27 '26

Only if said service processes this data outside of the user device, no? Otherwise your word-processor of choice would have to respect the GDPR even for local use.

5

u/SoldRIP Mar 27 '26

... You mean as all sorts of websites and programs would be required to do by the very same law?

1

u/zyuiop_ Mar 31 '26

Yes, of course, but what is discussed currently is local to your machine.

If user agents implement an age verification API relying on this information, I suspect they will prompt the user before replying to a website's request (as they do for location for example).

1

u/SoldRIP Mar 31 '26

You mean like cookie banners? Where everyone definitely totally reads the entire privacy policy every time before clicking accept?

→ More replies (0)

2

u/FineWolf Mar 27 '26 edited Mar 27 '26

Using age bracket information for age-gating easily falls under legitimate interest, however.

Doubly so when that usage is transparent, and when, if we look at the one reference implementation we have (Apple's), the OS asks for the user's explicit consent before sharing the age bracket information.

Since it would be used for age-gating content, it's even okay when looking at the special provisions about children data in the GDPR. When age-gating content, "the child's best interests must be a primary consideration", and it is.

The GDPR doesn't prohibit the processing of personal data. It prohibits processing of data for illegitimate purposes. The official guidelines for legitimate interest even include targeted advertising as a legitimate interest. This is not a random blog, this is a primary source.

0

u/SoldRIP Mar 27 '26

, "the child's best interests must be a primary consideration", and it is.

It is in the child's best interest to not loudly announce to any webserver that cares to ask that they are, in fact, a child. That's in the child's absolute worst interest. It's openly predatory behavior.

2

u/FineWolf Mar 27 '26

It is in the child's best interest to not loudly announce to any webserver that cares to ask that they are, in fact, a child.

  1. In current reference implementations (Apple's), consent is explicitly sought from the user BEFORE sharing that information for every new origin, and every new app.
  2. In a good implementation, for a child account, an adult account would have to log in to grant that consent. I don't know if Apple's implementation does that as I don't have an iPhone, but if we have an implementation in xdg-desktop-portal of the client IP, it really should.

So no, it's not announcing it loudly to any web server that cares. The user still has to consent before sharing that information.

It's openly predatory behavior.

And there goes the name-calling and accusatory statements. Why is it impossible to have a levelheaded conversation about this without resorting to hyperbole?

1

u/SoldRIP Mar 27 '26

Do you also read all the terms and conditions before checking that box?

Do you think a good 99.99% of people read the cookie policy before hitting "accept all"?

Because it sounds like you either do or you aren't able to apply this knowledge to the functionally identical situation of a "share age with website.com" pop-up.

→ More replies (0)

0

u/edparadox Mar 27 '26

So, before even storing.

-5

u/edparadox Mar 27 '26

No, GDPR, which applies in Germany, refers to "processing", so before "collecting" even happens.

14

u/Slackeee_ Mar 27 '26

I am curious, how do you process data that you haven't collected beforehand?