The Age Verification Trap: How State Legislatures Are Accidentally Writing Laws That Could Outlaw Linux

State age verification laws aimed at protecting children online are sweeping the country, but their broad definitions threaten to outlaw open-source operating systems like Linux while entrenching Big Tech's dominance and building a universal surveillance infrastructure.
The Age Verification Trap: How State Legislatures Are Accidentally Writing Laws That Could Outlaw Linux
Written by Lucas Greene

Carl Richell has been building computers for years. As the founder and CEO of System76, a Colorado-based manufacturer of Linux-powered hardware, he’s spent his career on the premise that people should control their own machines. Now he’s watching state legislatures across the country draft laws that could make the operating systems his computers run on illegal to distribute.

Not theoretically. Not in some distant, paranoid hypothetical. Right now.

A wave of age verification bills is moving through statehouses from Sacramento to Springfield, driven by bipartisan concern over children’s online safety. The stated goal is straightforward: prevent minors from accessing harmful content on the internet. But the actual text of these bills — the statutory language that would become binding law — frequently fails to distinguish between a social media platform with a billion users and a volunteer-maintained open-source operating system downloaded by a few thousand. And that failure, critics argue, isn’t a bug. It’s the architecture of a much larger political and commercial project.

The Bills That Broke the Model

California’s AB 1043 is the most prominent example. Signed into law with a compliance deadline of 2027, it requires any “operator” of an online service “likely to be accessed by children” to implement age verification or age estimation before granting access. As WebProNews reported, the law’s definitions are broad enough to encompass Linux distributions, which are freely downloadable from the internet and include web browsers, app stores, and package managers that can access virtually any content online.

The problem is structural. Linux distributions like Ubuntu, Fedora, and Pop!_OS — System76’s own operating system — aren’t companies in any traditional sense. Many are maintained by loose collectives of volunteers scattered across dozens of countries. They don’t have users in the way Facebook has users. They don’t collect data. They don’t serve ads. They don’t have revenue models that could absorb compliance costs. But under the plain language of AB 1043, they are “operators” offering services “likely to be accessed by children.”

Illinois followed with SB 3977. As WebProNews detailed, the Midwest bill took a similarly expansive approach, defining covered platforms in terms so broad that any software providing internet access — including an operating system’s built-in browser or package manager — could fall within scope. The bill made no exemption for open-source projects, nonprofit foundations, or individual developers contributing code on their own time.

Similar legislation has appeared in Texas, Utah, Arkansas, and more than a dozen other states. The pattern is consistent: broad definitions, strict liability, no carve-outs for software that doesn’t operate as a commercial service.

Richell has been vocal about what he sees as the real dynamic at play. In a series of public statements and interviews covered by WebProNews, he argued that major technology companies are quietly supporting these bills — or at minimum not opposing them — because the compliance burden falls disproportionately on smaller competitors and open-source alternatives. Companies like Google, Apple, and Microsoft already have identity verification infrastructure. They already collect enough data on their users to perform age estimation. For them, compliance is a marginal cost. For a Linux distribution maintained by volunteers? It’s an existential threat.

“This is about eliminating alternatives,” Richell has said. The argument is blunt, and not everyone agrees with it. But the structural incentives are hard to ignore.

Liam Proven, writing for The Register, laid out the technical absurdity in stark terms. Operating systems are not websites. They are not platforms in the way legislators use that word. An OS is a layer of software that manages hardware and provides a foundation for applications. Requiring an operating system to verify a user’s age before allowing access to the internet is like requiring a car manufacturer to verify a driver’s age before the engine will start — technically conceivable, perhaps, but fundamentally misconceived about where responsibility should sit.

Proven’s piece highlighted a deeper irony: the companies best positioned to comply with OS-level age verification are the same companies that already track users most aggressively. Apple’s iOS already requires an Apple ID. Google’s Android is tightly integrated with Google accounts. Microsoft’s Windows increasingly pushes users toward Microsoft accounts with cloud-based telemetry. These companies could, in theory, bolt age verification onto their existing identity infrastructure with relatively modest effort. The result would be to further entrench their dominance while making it functionally illegal to distribute an operating system that respects user privacy.

That’s the trap. And it’s closing.

Colorado offered a glimmer of a different approach. As WebProNews reported, state legislators there considered language that would explicitly exempt open-source software from age verification requirements. The logic was simple: open-source projects don’t have the commercial relationship with users that the bills are designed to regulate. They don’t monetize attention. They don’t algorithmically recommend content. They are tools, not services. Colorado’s willingness to draw that distinction was notable precisely because so few other states have bothered to try.

But even Colorado’s approach has limits. An exemption for open-source software doesn’t address the underlying problem with age verification mandates — namely, that they require someone, somewhere, to confirm the identity and age of every person who accesses a covered service. That means collecting government-issued identification, biometric data, or both. It means creating databases that link real identities to online activity. It means building exactly the kind of surveillance infrastructure that privacy advocates have spent decades warning about.

The Surveillance Machine Nobody Voted For

This is where the children’s safety argument collides with something much larger. As WebProNews analyzed, age verification at scale necessarily produces a system of universal identity verification. You cannot confirm that someone is over 18 without first confirming who they are. And once you’ve built a system that confirms who people are before they access online services, you’ve built a system that can track, log, and monitor what every identified person does online.

The technical requirements are inescapable. Age verification systems need to be accurate, which means they need real data — not self-reported birthdates, which are trivially falsified. The most commonly proposed solutions involve either uploading a photo of a government ID, submitting to facial age estimation using a camera, or using a third-party identity verification service that cross-references commercial databases. Each of these approaches creates a new data collection point. Each generates records that can be subpoenaed, hacked, or sold.

Third-party verification services are already a growing industry. Companies like Yoti, Jumio, and Veriff offer age estimation and identity verification APIs that can be integrated into websites and applications. Their business model depends on processing millions of identity checks. The more states that pass age verification mandates, the larger their addressable market becomes. Some of these companies have actively lobbied for age verification legislation, a fact that has drawn scrutiny from digital rights organizations including the Electronic Frontier Foundation.

The EFF has consistently opposed age verification mandates on First Amendment grounds, arguing that requiring identification to access legal content — even content that is inappropriate for children — constitutes an unconstitutional prior restraint on speech. Federal courts have historically agreed. The Supreme Court struck down the Communications Decency Act’s age verification provisions in 1997’s Reno v. ACLU, and lower courts have blocked similar state laws in Louisiana, Texas, and other jurisdictions.

But the legal environment is shifting. The current Supreme Court has shown less deference to expansive free speech claims in the context of technology regulation, and several justices have signaled openness to arguments that the government has a compelling interest in protecting children online that may override traditional First Amendment analysis. If even one major age verification law survives judicial review, it will create a template that every other state can copy.

And the template, as currently drafted, doesn’t distinguish between Meta and a Debian mirror.

The operational implications for open-source software are severe. Consider what compliance would actually require for a project like Fedora, which is sponsored by Red Hat but maintained by a global community of contributors. Fedora’s website offers ISO images for download. Its package manager, DNF, connects to repositories containing tens of thousands of software packages, some of which could access content deemed harmful to minors. Under a strict reading of laws like AB 1043 or SB 3977, Fedora would need to verify the age of every person who downloads the OS or uses its package manager.

How? Fedora doesn’t have user accounts in the traditional sense. It doesn’t require registration. It doesn’t collect personal information. Its entire design philosophy is predicated on the idea that users shouldn’t need to identify themselves to use software. Bolting an age verification system onto that model wouldn’t just be expensive — it would be philosophically antithetical to the project’s reason for existing.

The same is true for hundreds of other open-source projects. The Linux kernel itself is distributed under the GPL, a license that explicitly guarantees the freedom to use, study, modify, and distribute software without restriction. Age-gating access to GPL-licensed software would create a direct conflict with the license terms under which the software is released. No one has yet litigated what happens when a state law requires restrictions that a federal copyright license explicitly prohibits, but the collision is coming.

As WebProNews noted, California’s 2027 deadline is approaching fast. Companies and projects that fall within the law’s scope will need to have compliance mechanisms in place or face penalties. For commercial entities with legal departments and engineering teams, this is a manageable challenge. For volunteer-run projects with no budget and no formal organizational structure, it’s an impossible mandate that will likely result in one of two outcomes: either the projects stop serving California users — which, given the internet’s architecture, effectively means geo-blocking an entire state — or they simply ignore the law and hope they’re too small to attract enforcement attention.

Neither outcome serves children’s safety. Neither outcome serves the public interest. Both outcomes serve the competitive interests of large technology companies that would prefer a world where the only operating systems, browsers, and platforms available to consumers are the ones they control.

What Happens Next

The legislative calendar is full. More states are introducing age verification bills in 2026 than in any previous year. Most are modeled on existing laws from California, Utah, or Texas. Few include exemptions for open-source software. Fewer still grapple with the technical reality that age verification at the operating system level would require a fundamental redesign of how general-purpose computing works.

Some legislators are aware of the problem. Colorado’s exemption effort shows that. And there are quiet conversations happening in Washington about federal preemption — a single national standard that could override the patchwork of state laws and potentially include reasonable exemptions for non-commercial software. But federal action on technology regulation has been glacially slow, and the current political environment offers little reason for optimism about a nuanced, technically informed federal bill emerging anytime soon.

In the meantime, organizations like the Software Freedom Conservancy, the Linux Foundation, and the Open Source Initiative are mobilizing. System76’s Richell has become an increasingly prominent voice, arguing in interviews and public forums that the open-source community needs to engage with the legislative process before it’s too late. As WebProNews reported, the challenge is that most open-source developers are not lobbyists. They don’t have relationships with state legislators. They don’t have PACs or trade associations with offices on K Street. They write code. And the people writing the laws don’t understand what that code does.

That knowledge gap is the root of the problem. Legislators hear “operating system” and think Windows. They hear “app store” and think the App Store. They draft laws targeting the internet as they understand it — a collection of commercial platforms competing for attention — and don’t realize they’re also targeting the infrastructure underneath those platforms. The plumbing. The foundations. The tools that make the commercial internet possible in the first place.

And so the bills advance. Committee hearings are held. Testimony is given. Amendments are proposed, sometimes adopted, often not. The laws pass, because no legislator wants to vote against protecting children. The compliance deadlines arrive. And the people who build and maintain the software that the modern world runs on are left to figure out how to comply with laws that were never written with them in mind.

Or to stop distributing their software entirely.

That’s not a hypothetical. It’s a timeline. And the clock is already running.

Subscribe for Updates

DevNews Newsletter

The DevNews Email Newsletter is essential for software developers, web developers, programmers, and tech decision-makers. Perfect for professionals driving innovation and building the future of tech.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us