Civil disobedience won’t work because they go after devs first not users.
This is missing the point and does not answer the question.
How exactly will a Californian attorney “go after” a Polish “dev” who develops FOSS based on legally established worldwide license, guaranteeing the 4 freedoms, resulting in legal civil disobedience?
Enforcement will focus on devs not users.
Have you read the AB-1043?
(f) “Developer” means a person that owns, maintains, or controls an application.
That suggests we are all controllers, i.e. developers. But:
According to (c) and (e)(1-2), an “application” is something something that connects to “the internet” in order to “download” another “application”, and has nothing to do with undefined terms like “extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application”.
Does Xen connect to the Internet? Is the hypervisor an application? Is dom0 an application? Is the explicitly offline installer of Qubes an application? - No. Therefore the developer is not a “developer” as per (f).
BTW based on the above definitions, a browser add-on or a driver that spies on the user and only uploads data somewhere is not an application and does not need age verification. Great “protections for minors on the internet” with web cams. Another Indiana Pi bill.
Punish one terify thousands. That’s how it works.
If one behaves like live stock, one will be treated accordingly.
Sadly, earlier hints about all that were ignored. It is time to actually get an actual and official answer to the big question and how valid the old “liked it” still is.
Hello, Michael, good to see the Qubes’ team aware of this.
“we will see if any actions are truly needed by Qubes OS, and if so, minimize them to only users who identify as affected”. By that, do you mean that IF Qubes does implement anything, which I don’t think it has to or should, it will only implement it for the users the the affected states/countries (Brazil and california)? Is my interpretation correct? If so, can you shed some light on how it may work out in practice? Different ISOs for users in affected regions ?
i have no idea & we have no plans to figure anything out at this stage. i think any work towards “implementing” is a mistake (morally & strategically) & waste of (our) time.
i have no idea & we have no plans to figure anything out at this stage. i think any work towards implementing is a mistake (morally & strategically) & waste of (our) time.
What about removing what seems already implemented upstream, thus entering our systems as well (through updates etc)?
Not legal advice. This is only a practical discussion of how this might be viewed and enforced.
Selected case examples of the USA versus people outside of the U.S., not as direct equivalents, but as examples that cross-border enforcement are not unheard of:
I am not saying that this is likely in this case, only that I would not treat it as absolutely inapplicable.
At least from my perspective, I do not see how FOSS versus proprietary / closed source would make a meaningful difference here.
Likewise, I am not convinced that the license would materially help with this specific concern.
I am not sure what definition of “legal” you are using here. In this context, doesn’t civil disobedience usually assume that the law is considered applicable but is not being complied with, and is therefore viewed by the state as illegal?
A practical definition of “legal” versus “illegal” might be “what the state will likely treat as such”. I would also avoid loading that term with moral judgement.
I am not persuaded by that interpretation.
Do you think that is what politicians intended to say, and what the attorney general and courts would actually interpret?
So what do you think the intention was, and what do you expect would happen in practice?
nothing in upstream will force some type of age verification in Qubes OS, at most upstream will add further optional parental controls that have no purpose in Qubes OS, given it is a single-user-as-admin OS.
so if you look at what the systemd merge actually is:
you see it is adding birthDate to an existing JSON userdb that already stores emailAddress, realName, location. so Qubes OS is already tracking your email address, real name, location?? no because those are not actually asked of the user or used by Qubes OS.
for the birthDate only admin will be able to change it, which in Qubes OS is the user as the user is admin…
so what are they going to do, force us to change the architecture of the OS away from single-user? and if we ignore them? will some random US state become the first place in the world to block residents from accessing Qubes OS website & downloading ISOs? what about all the ISO mirrors hosted elsewhere? etc etc.
basically these states are setting themselves up to be embarrassed (in court, in media, in public opinion), i dont think it will hold up to legal scrutiny, and regardless it shouldn’t affect Qubes OS users.
& we will continue to keep an eye on upstream in the meantime, as we always do.
so what are they going to do, force us to change the architecture of the OS away from single-user? and if we ignore them? will some random US state become the first place in the world to block residents from accessing Qubes OS website & downloading ISOs? what about all the ISO mirrors hosted elsewhere? etc etc.
Well, they are the first and best in all, ya know. /s
& we will continue to keep an eye on upstream in the meantime, as we always do.
Furthermore, I checked some of our office systems (RH/CentOS, SuSE, and Ubuntu). The systemd implementation is located in systemd-userdbd, but this service wasn’t even installed on any of the operating systems I checked. So, currently, it seems to be entirely optional.
As I’ve already mentioned in some posts, the issue isn’t so much the current requirements and planned implementations, but rather the future course of action if open-source operating systems implement such changes.
I have no illusions that the greed of politicians and law enforcement agencies will end if this “feature” is introduced. They will launch further attacks on user privacy.
This is just the beginning, and if this goes through relatively quietly, it’s certainly not over.
Selected case examples of the USA versus people outside of the U.S.
Case != win. As you surely know, it is not really the law that is exercised in many U.S. international activities.
At least from my perspective, I do not see how FOSS versus proprietary / closed source would make a meaningful difference here.
Taken out of context, it won’t. But the point of the whole thing was: FOSS has 4 freedoms which proprietary does not. The age restriction contradicts freedom 0. The requirement to impose such restriction contradicts freedom 2. And freedom 1 allows to remove the restriction. With proprietary you are not even allowed to look underneath.
Likewise, I am not convinced that the license would materially help with this specific concern.
What do you mean “materially”? I am discussing the contradictory legal aspects of this. Beyond them, I have no doubt about other possibilities (incl. another Assange or Hiroshima), but they have nothing to do with law.
I am not sure what definition of legal you are using here.
The FOSS license is a legal document.
In this context, doesn’t civil disobedience usually assume that the law is considered applicable but is not being complied with, and is therefore viewed by the state as illegal?
The right to protest peacefully is legal. Using holy hand grenades as a means to protest is not. The state cannot (legally) restrict the former.
A practical definition of legal versus illegal might be what the state will likely treat as such.
That would be tyranny, not lawfulness.
I would also avoid loading that term with moral judgement.
That is larger than this thread. In short, a law without morality is nothing but a means of oppression.
I am not persuaded by that interpretation.
Do you think that is what politicians intended to say, and what the attorney general and courts would actually interpret?
So what do you think the intention was, and what do you expect would happen in practice?
Well, I am just reading “aloud” what was written in that document, in a reply to a previous post, as the concern was that “they will go after devs”.
Sticking strictly to what is written, it is quite contradictory to a point of being meaningless - that is what I was trying to show. A legal document that attempts to regulate a technical matter juggles with vague semi-slang abstractions. Example: what are “extensions”? File extensions? Hair extensions? Memory extensions? Protocol extensions? No serious technician would be able to comply with such text without leaving huge room for “mistakes” that another properly-stimulated-financially technician may point out in a hypothetical testimony.
As I said earlier, to me this is a backdoor for mischief (nothing new) and an Overton window. Just something to refer to “legally” as an excuse for next noble democratic humanitarian activity. What @OvalZero shared seems to fit.
I would like to update you on Brazil’s Law 15,211 (ECA Digital). The law was implemented yesterday, March 18, 2026, by Federal Decree 18,880. I will quote the sections that address the obligations of operating systems:
“Art. 21. Internet app stores and operating systems must prevent the availability of products or services that promote, offer, or facilitate access to lotteries of any kind, including fixed-odds betting, that are not authorized by the competent authorities, and those that do not provide age verification solutions,…”
“Art. 25. Internet app stores and operating systems must provide user age data to suppliers of information technology products or services, free of charge, in accordance with the provisions…
I - request that account holders declare their age or age group when creating an account;
II - verify age using a reliable method, in accordance with the terms established by the ANPD, preferably by adopting verifiable credentials, in accordance with the provisions of Art. 11 of Law No. 15,211, of September 17, 2025;
III - allow for the challenge and correction of age classification upon presentation of additional evidence, with a reasoned decision within a reasonable timeframe; and
IV - adopt measures to prevent the creation of multiple accounts or other schemes intended to circumvent age verification mechanisms.
§ 3 Online app stores and operating systems must obtain authorization from legal guardians for children and adolescents to download and install apps, and must inform them of the age rating assigned to the apps prior to granting authorization, ….”
In my view, the best decision would be to block IP addresses from Brazil from accessing the Qubes website or forum, and the same goes for Whonix. Unfortunately, the reality is that it will be difficult for Qubes and Whonix to comply with Brazilian law.
I am Brazilian and have been using Qubes and Whonix as my primary operating system for several years.
I don’t want the projects to run the risk of being penalized in any way because of users who are subject to these laws.
So I think, as I suggested, IP addresses from Brazil could be blocked.
Existing users know how to get around this without compromising security and privacy.
At least this way, if new users in Brazil download Qubes and/or Whonix, they’ll do so through other means rather than the official website. I believe this would spare them from trouble.
I may be talking nonsense, but I don’t see any other way out at the moment. The law must be obeyed, and those who don’t comply may face penalties.
Thank you ! I agree with your thinking and your principle. It sets a dangerous precedent to obey surveillance laws from countries Qubes is not even based out of! What’s next? Obeying whatever surveillance laws China comes up with?!
Those cases in your table have specificities that neither the Qubes project nor most community/non-company distros have.
They tend to either be criminal cases (which the aforementioned Californian law is not) or civil cases where the organisation in question is either legally based and registered in the US or companies/businesses which operate commercially in the US and thus subject to both federal and state law.
Moreover, several American courts (the 9th Circuit covering California, for example), have stated that mere global passive availability does not make an individual/organization fall under US (in this case Californian) jurisdiction. Open source software available for anyone in the world to download is almost textbook definition of passive availability. Unlike many may think, the world does NOT belong to the US and their laws are NOT the world’s laws.
Distros that do have to somewhat worry (although not a lot) are company distros, which may be registered in California or commercially operate nationwide. For example, system76 sells computers with pop os installed to California.
Qubes has no U.S. registration, no California employees/assets, no targeted advertising, no paid downloads, they do not monetize information collected from Californian users etc etc. At most they should remove Californian mirrors and perhaps other US mirrors as well.
I can see however, why you personally worry about it, your situation and therefore that of the whonix project is a bit different from that of Qubes, you and whonix are a bit more exposed. But nothing that can’t be dealt with.
Obviously I am not lawyer and this is not legal advice, merely the opinion of someone who has read related jurisprudence.
I’m going to respectfully but very forcefully disagree with you on that. The situation ten years ago was bleak, and the threat was obvious. The Snowden files had been released, encryption was being actively broken, there had been previous attempts to de-anonymize internet users, the V-chip had been a real proposal, the NSA tried to make using encrryption illegal, etc.
It wasn’t so different. It never has been, and it won’t be.
A feature - age verification-related code - which was not a grassroots feature request and appears to have been opposed by the overwhelming majority of users - was pushed into systemd without much discussion, and the discussion was then locked.
In the cases that I linked, the government prevailed and the project did not.
My understanding is that FOSS is based on copyright law.
FOSS licenses are subordinate to government law.
The mechanism to enforce FOSS licenses is through copyright law and government courts.
Laws are made by governments.
Developers do not need a license to use their own software.
Licenses are given by authors to consumers. (Licenses are given by developers to users.)
Therefore, I am not convinced that a FOSS license would protect developers (operating system providers) where the law is applicable.
There is a hierarchy here, and laws rank above software licenses.
So, at least from my current non-lawyer understanding, I am not convinced that the license would materially help with this specific concern.
Licenses do help users in important ways, but perhaps not in a major practical way here. Most users are using downloadable binary images and binary updates. They do not build their own images and package updates from source code.
FOSS licenses are still helping “quite a bit” but perhaps not “materially” yet, because they leave the door open for source-based distributions where users could more easily opt in or opt out of undesirable (but perhaps legally mandated for the operating system provider / developer) features.
Peaceful protest is legal in many countries, but that does not really address how “legal” (as in compliant with government law) civil disobedience by operating system providers affected by age verification laws would look in practice.
I am not giving legal advice here. I am only trying to discuss the practical issue of how a state would likely treat such conduct.
Redefining these words may add confusion. If these words are being redefined, it may be useful to say explicitly that “legal” is not being used to mean “permitted by government law” but instead some other definition.
Especially in a discussion about government laws, using clear definitions seems helpful.
I agree that this law is poorly worded. If understanding what it is supposed to mean already requires a lawyer, then that creates room for arbitrary enforcement. In my view, it is wrong to define rules so poorly and then threaten or punish enforcement when no non-lawyer could reasonably understand them.
legally based and registered
The table entry Non-U.S. incorporated legal entity is meant to document that none of the sample cases is incorporated in the U.S. Either there is no evidence of U.S. incorporation or there is evidence of the contrary, i.e. a non-U.S. legal entity.
That is one major point of the table. I am only adding examples of Non-U.S. incorporated legal entity.
Do you think commercially is really the key word to focus on here? Or would it be better to avoid or drop it? If it is relevant, which legal definition of commercially are you using here?
Also, which legal definition of operate in the US are you using?
Do you think Qubes does or does not operate in the US and/or operate commercially in the US?
Having clearer criteria for why it was applicable in the sample cases but not here could be useful.
I am not trying to make a legal claim here. I am trying to identify a practical framework that helps distinguish the sample cases from this case.
Full disclosure:
I am documenting various pieces of information about age API-related legal issues and adding them to the Kicksecure age-api wiki page. This page might contain material that could be useful to point legal counsel to.
trust in themselves not to have accidentally doxxed themselves (against the odds, adversaries’ advantage, defenders’ disadvantage. A single mistake can de-anonymize someone.);
willingness to engage in civil disobedience;
willingness to take huge legal risks;
not using a legal entity that might provide legal liability protection;
the practical challenges of running a project completely anonymously.
So, from my perspective, your thesis may be unrealistic because what you suggest should have happened had not actually been foreseen by any project.
The material seized includes bank statements, donor information from Zwiebelfreunde’s inception in 2011 that it painstakingly documented on paper receipts, and the identities of people active in partner projects like Tor, and Tails, the privacy-focused operating system.
Because the Tails project tries hard to protect the identities of its members, Zwiebelfreunde kept information out of any electronic documentation. But, under pressure from tax authorities, the organization had compiled paper receipts with names and passport numbers of those the project had reimbursed.
They also used to attend (and may still do) IT conferences in person. [2][3][4]
Note: Tails developers are not fully anonymous either. ↩︎
Not a secret for anyone who attended CCC conferences. ↩︎
One may also debate whether Qubes is an operating system. Regarding its features, it should be classified more as a meta operating system, which is already done by several reviewers.
Several characteristics of “normal” operating systems are not present or hidden from the users of Qubes:
Qubes itself, especially dom0, does not load and execute applications. This is done in “real” operating systems, namely AppVMs
Network access is done via a specially crafted interface, hidden from dom0 and the working VMs. sys-net is the only connection to the outside world, but this is no system component that is used directly, and sys-net has no user data and does not process them.
Being a single-user system, Qubes does not restrict the operations that a user may perform. This may be done within the “real” operating systems loaded in the AppVMs.
So Qubes may be regarded more as a device for installing and using operating systems than as an operating system itself. Following this line of argument, Qubes is not affected by the age verification law, but can regard that as an upstream issue for Debian, etc.
If devices capable of loading operating systems should have an age verification, that would apply to an “intelligent” refrigerator having an internet connection. In this case, such a fridge might be required to check if I am over 18 if I try to get a can of beer. Let’s say that not too loud - some legislators might get an idea…
If one needs to be a legal expert to understand law, then only experts should be expected to comply, i.e. the plebs are free not to. Obviously, that is not the case, and we are not in the growing category of people who can’t comprehend more than 1-2 pages of written text.
In the cases that I linked, the government prevailed and the project did not.
And there are cases in which it didn’t. What is your point? I am not saying “You are perfectly safe”. I am saying don’t comply with nonsense because worse nonsense will be imposed.
My understanding is that FOSS is based on copyright law.
[…]
Therefore, I am not convinced that a FOSS license would protect developers (operating system providers) where the law is applicable.
Also, note again: AB-1043 does not define “developer” as identical to “operating system provider”. If you control the “application”, you are a “developer”, and if you “control” the “operating system” you are a “provider”.
I agree that this law is poorly worded. If understanding what it is supposed to mean already requires a lawyer, then that creates room for arbitrary enforcement. In my view, it is wrong to define rules so poorly and then threaten or punish enforcement when no non-lawyer could reasonably understand them.
Exactly. Yet, that doesn’t mean they won’t do it. It is not a clear law aimed to establish social justice. It is a formalized soft legal bat. If you don’t comply, you may be hit with it. If you don’t, the next bat will hit you and more others harder. - Make a deal or bad things will happen.
There is no case in human history where lawyers saved people from oppression. Social resistance FTW. There is no other way.
Let’s say that not too loud - some legislators might get an idea…