this post was submitted on 21 Feb 2026
210 points (98.6% liked)

Technology

81653 readers
3891 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
210
Colorado proposing Bill to move age verification to Operating System rather than web site (www.biometricupdate.com)
submitted 22 hours ago* (last edited 22 hours ago) by Beep@lemmus.org to c/technology@lemmy.world
95 comments fedilink hide all child comments
 

Senate Bill 26-051 reflects that pattern. The bill does not directly regulate individual websites that publish adult or otherwise restricted content. Instead, it shifts responsibility to operating system providers and app distribution infrastructure.

Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established. The provider would then generate an age bracket signal and make that signal available to developers through an application programming interface when an app is downloaded or accessed through a covered application store.

App developers, in turn, would be required to request and use that age bracket signal.

Rather than mandating that every website perform its own age verification check, the bill attempts to embed age attestation within the operating system account layer and have that classification flow through app store ecosystems.

The measure represents the latest iteration in a series of Colorado efforts that have struggled to balance child safety, privacy, feasibility and constitutional limits.

you are viewing a single comment's thread
view the rest of the comments
[–] baronvonj@piefed.social 19 points 22 hours ago (3 children)

This goes in a better direction than web sites doing it themselves, I think. The government put out an open source tool that runs locally and the browser just gets a yay/nay return code from it.

[–] tynansdtm@lemmy.ml 9 points 22 hours ago (2 children)

On paper, I like this solution better than every app/site developer having to hack together (or outsource) their own age verification system. But I'm sure it opens up a ton of potential problems. And if it's open source, someone could just fork it and make a version that always says "yes" so unfortunately it'll never be FOSS.

[–] pivot_root@lemmy.world 2 points 16 hours ago

It wouldn't even work on paper. All it would take to twist this into something dystopian is requiring attestation for the age range, and knowing lawmakers, they would justify it as a countermeasure for kids lying about their age. Expand the feature as a web API so websites can use the "easier" and "more secure" system-level age verification process and—oh look, now we can't use important websites without a commercial operating system.

It would be like Secure Boot but worse. At least with that you can turn it off or enroll your own keys.

[–] baronvonj@piefed.social 4 points 21 hours ago

Some kind of cryptographic signing of the executable could probably help with that.

Ultimately I don't believe there can ever be a foolproof solution and the emphasis should be on client-side parental controls.

[–] SnotFlickerman@lemmy.blahaj.zone 8 points 21 hours ago* (last edited 21 hours ago) (2 children)

  1. How do they secure age data? Age is most likely two characters, with a max of three characters. If there are penalties for sharing the age data when they aren't supposed to, how do they secure this? Even with cryptography a two character number with only 70-ish reasonable and expected variations is going to be difficult to secure.

  2. How do they ensure no one who is a different age ever uses the device? "Use mom's iPad" is univseral. Does mom get in trouble for letting her child use her device, does the parent end up with the fine?

However, if a developer has clear and convincing information that a user's age is different than the age indicated by an age signal, the developer shall use that information as the primary indicator of the user's age range.

  1. How do they determine age other than self-reporting with anything other than wholesale spying on user habits? What other way could they possibly glean "clear and convincing information that a user's age is different than the age indicated by an age signal" other than spying on a user's device use? This also implies remote-control of the OS if the operating system vendor can change the age-gate remotely based on user habits.
[–] UnspecificGravity@piefed.social 8 points 20 hours ago (1 children)
  1. You don't.
  2. Easy. The device constantly captures images of the user and checks them against the user image on file
  3. By scanning a government issued ID and checking against an online database with poor security.
[–] baronvonj@piefed.social 3 points 21 hours ago (1 children)

I feel like #1 and #2 are problems whether its client side or server side. As for #3 I would lean in the direction of there being a one-time check with no persistent knowledge. Like when you flash your ID to the bartender to order a drink. A client app that scans the ID and returns the answer to the requestor.

But I don't think there is any way to reliably implement this sort of thing. I think it should really just be left to parental control and monitoring.

[–] SnotFlickerman@lemmy.blahaj.zone 1 points 20 hours ago (1 children)

I think part of the problem is there shouldn't be a server-side to this. Because that's opening the door to all kinds of intrusive data-collection to determine age, even if they claim it should be done "minimally." Define "minimal." That seems to fly in the face of "clear and convincing information that a user’s age is different than the age indicated by an age signal" which is a direct quote from the Bill.

And as for number 3, I don't see how no persistent knowledge could work. If the client app has read the data ("scanned the ID") that means the client-app can now store that data anywhere the client-app has write access.

Further, it's not like in real life when the bartender can scan the person up and down, look at the ID and make the assessment that McLovin is clearly underage.

[–] baronvonj@piefed.social 2 points 20 hours ago

If it's open source it can be verified that it's not storing the data.

And I 100% agree that software scanning an ID is an overall bad way to verify. With a CC# validation at least that shows up on my statement, but if my kid is sneaky enough to get mine out of my wallet I have no way of knowing.

[–] Shdwdrgn@mander.xyz 5 points 20 hours ago (1 children)

The only thing this bill seems to affect are apps. It has no provision for websites, meaning kids would still have unlimited access to adult content. If a kid wants to get around browser checks, all they have to do is either install an older browser that doesn't use the OS verification, or find a plug-in that fakes it (and of course those will immediately come out).

Even worse, if the OS requires ALL software to acknowledge the age verification checks, what do you think that means? Everyone in Colorado is required to immediately spend thousands to buy all new versions of every program they use? And what happens to the software that is no longer updated? If you're lucky, you can buy something completely different and spend months rebuilding all your old information into the new system? Sounds wonderful.

[–] SnotFlickerman@lemmy.blahaj.zone 7 points 20 hours ago

I think it's pretty clear that this was written by people who are used to getting everything from the iOS store/macOS store/Microsoft store/Google Play store and have no fucking clue what using a computer that isn't "app-based" is like.