Governments are moving beyond the familiar battleground of social media and app stores. They are now demanding that operating systems themselves police user ages, creating unprecedented friction between state regulation and the open source ecosystem.
California's Digital Age Assurance Act (AB 1043), signed by Governor Gavin Newsom in October 2025, requires every operating system provider in California to collect age information from users at account setup and transmit that data to app developers via a real-time API, with the law taking effect on January 1, 2027.
The law appears narrow on its surface. The law does not require photo ID uploads or facial recognition, with users instead simply self-reporting their age, setting AB 1043 apart from similar laws passed in Texas and Utah that require "commercially reasonable" verification methods, such as government-issued ID checks. Yet this simplicity masks a deeper problem: the law applies to every operating system provider, from Microsoft and Apple down to community-driven Linux distributions that operate without corporate infrastructure or user account systems.
The law's broad definition of an "operating system provider" — anyone who "develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device" — pulls in not just Windows, macOS, Android, and iOS, but Linux distributions and Valve's SteamOS.
The technical challenges are real. Some developers are exploring workable solutions. Fedora Project discussions have considered mapping age brackets to user accounts through local system files, keeping age information on the device itself. Ubuntu's parent company Canonical is consulting legal counsel but has not announced concrete compliance plans. Yet other projects have taken a more confrontational stance.
MidnightBSD has taken a firm stance against compliance by updating its license to explicitly exclude California residents from using it for desktop purposes starting January 1, 2027. A scientific calculator application, DB48X, has done the same. These developers argue the law is unenforceable and legally unjustifiable.
Supporters of age verification laws argue they protect minors from harmful content. Developers who receive the signal are "deemed to have actual knowledge" of their users' age range under the law, which shifts legal liability for age-appropriate content decisions onto them. The state is essentially delegating parental oversight to software companies.
Critics counter that the system fails at its own objective. Self-reported age without verification has a fundamental flaw: teenagers can lie. System76 CEO Carl Richell pointed out that many of his own employees first installed operating systems and created accounts while under 18, driven by curiosity about computing. These restrictions, he argues, will exclude the very young people who should be learning to code and understand technology. The law does not prevent dishonesty; it merely creates legal jeopardy for developers who cannot police user truthfulness.
Enforcement is another problem. About half of all US states have some form of age verification law. Nine of those were passed in 2025 alone, covering everything from adult content sites to social media platforms to app stores. California's approach is spreading. The US states of California, Colorado and Illinois are passing new age verification laws that require operating systems, including Linux and BSD distributions, to implement age attestation during account setup and provide an API for apps to query user age brackets. New York's proposed legislation goes further, explicitly forbidding self-reporting and requiring "commercially reasonable" verification without defining what that means.
The global dimension adds urgency. Brazil has gone further. The Digital Statute of the Child and Adolescent comes into effect on March 17, 2026, and it explicitly names operating systems and app stores by definition. The Digital Services Act (DSA) is already in full effect across the EU as of February 2024 for all digital services to ensure high levels of privacy, safety, and security for minors, with new guidelines added in late 2025 that mandate robust age verification for certain services.
Australia offers an instructive parallel. On December 10, 2025, Australia implemented a world-first national ban preventing individuals under 16 from holding accounts on most major social media platforms. The law emerged amid growing concern over mental-health risks, online harms, and the addictive design of social media—particularly for children and adolescents. Yet even the technical definitions were contentious. The eSafety Commissioner investigated whether GitHub, a code-sharing platform, should be classified as social media. Eventually, GitHub was excluded from the ban. The question now is whether Australia will consider extending similar restrictions to operating systems.
The fundamental tension is worth acknowledging. Parents and societies have legitimate interests in protecting young people from harmful content. At the same time, regulating the operating system itself represents a new and untested form of state control over computing infrastructure. Once embedded, such verification systems create architectural foundations for further expansion. Once embedded, that regulatory architecture of control is easy to expand and difficult to roll back.
Open source projects cannot absorb compliance costs that commercial firms can. They have no dedicated legal departments, no privacy infrastructure, no account management systems. They exist to give users computing power without gatekeeping. Yet these laws make gatekeeping compulsory. Some projects will comply by adding minimal age flags to local files. Others will exclude entire states or countries. The outcome is fragmentation, where users in California or Colorado face different restrictions than those elsewhere.
The practical effectiveness of these laws remains deeply questionable. Self-reported age verification works only if people are honest. Teenagers who want to bypass restrictions face a straightforward workaround: lie. The enforcement challenge that has made VPNs and proxy services popular in regulating other online content will be no less acute here. These laws create the appearance of protection without delivering it.
What cannot be questioned is the momentum. When California legislates tech policy, other states and countries pay attention. The question for policymakers is whether requiring age verification at the operating system level actually protects young people or simply creates a compliance burden that disadvantages open source developers while leaving vulnerabilities that minors can easily exploit.