How much do we gotta worry about this Linux "age verification" BS?

In the case of 1Broker, its domain was seized by the Department of Justice.

I agree that userdb: add birthDate field to JSON user records by dylanmtaylor · Pull Request #40954 · systemd/systemd · GitHub is not a big deal by itself. However, I do think it sets a concerning precedent.

A feature - age verification-related code - which was not a grassroots feature request and appears to have been opposed by the overwhelming majority of users - was pushed into systemd without much discussion, and the discussion was then locked.

In the cases that I linked, the government prevailed and the project did not.

1Broker, Samourai Wallet and Tornado Cash no longer exist.

My understanding is that FOSS is based on copyright law.
FOSS licenses are subordinate to government law.
The mechanism to enforce FOSS licenses is through copyright law and government courts.
Laws are made by governments.
Developers do not need a license to use their own software.
Licenses are given by authors to consumers. (Licenses are given by developers to users.)
Therefore, I am not convinced that a FOSS license would protect developers (operating system providers) where the law is applicable.
There is a hierarchy here, and laws rank above software licenses.

So, at least from my current non-lawyer understanding, I am not convinced that the license would materially help with this specific concern.
Licenses do help users in important ways, but perhaps not in a major practical way here. Most users are using downloadable binary images and binary updates. They do not build their own images and package updates from source code.

And building from source code is difficult at this time: See
Update philosophy flaw - #13 by adrelanos

FOSS licenses are still helping “quite a bit” but perhaps not “materially” yet, because they leave the door open for source-based distributions where users could more easily opt in or opt out of undesirable (but perhaps legally mandated for the operating system provider / developer) features.

Peaceful protest is legal in many countries, but that does not really address how “legal” (as in compliant with government law) civil disobedience by operating system providers affected by age verification laws would look in practice.

I am not giving legal advice here. I am only trying to discuss the practical issue of how a state would likely treat such conduct.

Quote legal - WordReference.com Dictionary of English

permitted by law;
lawful:

Quote lawfulness - WordReference.com Dictionary of English

Allowed by law

Redefining these words may add confusion. If these words are being redefined, it may be useful to say explicitly that “legal” is not being used to mean “permitted by government law” but instead some other definition.

Especially in a discussion about government laws, using clear definitions seems helpful.

I agree that this law is poorly worded. If understanding what it is supposed to mean already requires a lawyer, then that creates room for arbitrary enforcement. In my view, it is wrong to define rules so poorly and then threaten or punish enforcement when no non-lawyer could reasonably understand them.

legally based and registered

The table entry Non-U.S. incorporated legal entity is meant to document that none of the sample cases is incorporated in the U.S. Either there is no evidence of U.S. incorporation or there is evidence of the contrary, i.e. a non-U.S. legal entity.

That is one major point of the table. I am only adding examples of Non-U.S. incorporated legal entity.

Do you think commercially is really the key word to focus on here? Or would it be better to avoid or drop it? If it is relevant, which legal definition of commercially are you using here?

Also, which legal definition of operate in the US are you using?

Do you think Qubes does or does not operate in the US and/or operate commercially in the US?

Having clearer criteria for why it was applicable in the sample cases but not here could be useful.

I am not trying to make a legal claim here. I am trying to identify a practical framework that helps distinguish the sample cases from this case.

Full disclosure:
I am documenting various pieces of information about age API-related legal issues and adding them to the Kicksecure age-api wiki page. This page might contain material that could be useful to point legal counsel to.

None of these projects remained completely anonymous. [1]

All of these predate Snowden disclosures in June 2013.

I was not aware of the V-chip at that time, and I could not foresee the War on General Purpose Computing.

The video “Trusted Computing”: Where the vendor distrusts and restricts the user. was released on Feb 1, 2012 according to YouTube and still has only ~ 3 K views at the time of writing.

For context, the founders of Tails OS, Qubes and Whonix were not U.S. residents or native English speakers.

Your thesis may rely on a number of unstated assumptions:

  • knowledge of what happened at the time;
  • proper mental assessment of its importance;
  • correct prediction of what would happen in the future;
  • perfect knowledge and implementation of practices to stay perfectly anonymous (such as knowledge about Stylometry; Keystroke and Mouse Deanonymization; Metadata; Tips on Remaining Anonymous), with no IP/DNS or identity leaks ever;
  • trust in themselves not to have accidentally doxxed themselves (against the odds, adversaries’ advantage, defenders’ disadvantage. A single mistake can de-anonymize someone.);
  • willingness to engage in civil disobedience;
  • willingness to take huge legal risks;
  • not using a legal entity that might provide legal liability protection;
  • the practical challenges of running a project completely anonymously.

So, from my perspective, your thesis may be unrealistic because what you suggest should have happened had not actually been foreseen by any project.


Quote https://www.zdnet.com/article/german-police-raid-homes-of-tor-linked-groups-board-members/

The material seized includes bank statements, donor information from Zwiebelfreunde’s inception in 2011 that it painstakingly documented on paper receipts, and the identities of people active in partner projects like Tor, and Tails, the privacy-focused operating system.

Because the Tails project tries hard to protect the identities of its members, Zwiebelfreunde kept information out of any electronic documentation. But, under pressure from tax authorities, the organization had compiled paper receipts with names and passport numbers of those the project had reimbursed.

They also used to attend (and may still do) IT conferences in person. [2][3][4]


  1. Note: Tails developers are not fully anonymous either. ↩︎

  2. Not a secret for anyone who attended CCC conferences. ↩︎

  3. Tails - 31C3_Public_Wiki ↩︎

  4. There was an in-person discussion of Qubes, Tails and Whonix. ↩︎

3 Likes