Eddy Luten

Is typing

Archive

Common Tags

MkDocs TTRPG Update id Win32 Microsoft Apple C Intel DirectX Google Programming Tutorial Books AJAX Whatever Windows Games idTech C-Sharp OpenGL MSDN Linux NVIDIA

4 minute read

"Justice isn't blind, she carries a big stick" by Jason Rosenberg on Flickr Image Credit: “Justice isn’t blind, she carries a big stick” by Jason Rosenberg on Flickr

Disclaimer: I am not a lawyer; this is not legal analysis, nor legal advice.

The way too short and ambiguous California bill AB-1043 seems to have the potential to do real damage to the software industry. It aims to consolidate age-verification at the operating system and application distribution levels seemingly without understanding what either actually are.

Let’s take a look at some of the key definitions to explore some of its implications:

“Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.

So, the term “Account Holder” doesn’t seem to mean anyone with an account, but the user of an operating system who sets up access to the device. When looking at operating systems through the limited lens of mobile or desktop, the wording makes some sense. However, it’s not clear what this means for those running server OSes or containers. The law presumes that a person of legal age sets up the device for usage, but this use case simply doesn’t exist for servers, containers, CI, etc.

Regardless, the law continues:

A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

What does this mean for automated deployments? Do I need to do an age gate check each time I run Docker? Is a container registry a collection of operating systems or applications or both?

(e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.

This wording is broad enough to cover every single operating system package manager, like yum, apt or dnf, let alone cargo, NPM, PIP, and the likes. Then again, maybe the age verification needs to happen by the developers themselves:

(f) “Developer” means a person that owns, maintains, or controls an application.

and

(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

This seems to shift the responsibility to the developers, not the owners of the package manager or app store. Does this mean that before I can run apt install sqlite3 on my Linux server, it needs to phone home to do an age check through some “accessible UI”? It’s unclear.

Here are more questions:

  • Since not all applications are distributed as binaries, do we need an age gate for curl | bash type workflows?
  • How will this affect access to open source software? Do I need to prove my age before I can access a GitHub repo? Not all “applications” are binaries.
  • How would this affect embedded devices with their own OSes? Not just firmware, but more complex use cases like smart TVs, fridges with touch screens, fitness watches, or a Bluray player?
  • This would be a California law, but since developers don’t know if a user is from California to start with, would all users need an age check?
  • Who is the “account holder” in automated contexts such as CI/CD, or other autonomous systems? There is no user, but applications are downloaded and run anyway.

There are so many more questions, but let’s move ahead to one more disturbing clause:

1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.

While the law doesn’t require any legal IDs to be uploaded, user age will still need to be tracked to a specific install or it would be impossible to prove this clause in court; the law implicitly requires developers to maintain one. Anyone developing open source software will need to actively track their users and their age information in a database and block them from using their software if they fail to provide age information. It doesn’t matter if you’re some rando developing a CLI tool in your basement, an NPM package, or Microsoft Windows. If you distribute software in any way, you’re on the hook.

Now, also think of the irony of a bill designed to protect children which spawns the creation of thousands of databases linking the age and usage information of children to specific accounts. Talk about an attack vector!

(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains…

This may not seem like much, but if you know your user is a child, you are now also obligated to uphold any other child protection laws that may apply to the user as well, regardless of what kind of application you develop.

There should be more eyes on this bill, especially in the context of open source and wider implications to computing. This bill appears to be designed with the Google/Apple app store model in mind, but without any representation or thought given to the open source community.

votes

Voting and comments require no login, no tracking, no cookies. No personal data is stored about you unless you choose to share it.

You may also enjoy

Super Basic SDFs

4 minute read

A bunch of shapes generated using SDFs

In a recent experimental 2D gamedev project, I wanted to play around with drawing a bunch of game entities purely algorithmically rather than creating sprites for each of them. One important technique I ended up using was Signed Distance Fields (SDFs). In this post, I’ll go over the most basic implementation (we’ll draw a circle!) and explain how and why it works.

Read 1,277 more words...

mkdocs-alias-plugin 0.10.0 Release

less than 1 minute read

pypi

The latest version, v0.10.0, of the mkdocs-alias-plugin is now available here. This new version adds the ability to use aliases in Markdown footnotes, a great way to keep links short and organized.

mkdocs-alias-plugin is an MkDocs plugin allowing links to your pages using a custom alias such as [[my-alias]] or [[my-alias|My Title]].