Linux developers and the broader open-source community are pushing back against a wave of new US state laws that require operating systems to collect and share users' ages with app developers. The movement, which began in California and has spread to Colorado, Illinois, and New York, poses unique challenges for open-source projects that prioritize user privacy, customization, and minimal data collection.
The controversy started in earnest when California passed AB 1043, a law mandating that operating systems and app stores collect users' ages during device setup starting January 2027. The intention is to help app developers disable age-inappropriate content for minors. But for open-source communities, the law raised fundamental questions: How can volunteer-run projects afford to implement such measures? And can a system that is designed to be freely modifiable ever truly enforce age verification?
The Colorado battle and a template for exemption
One of the most high-profile fights occurred in Colorado with SB26-051, a bill modeled on California's law. The proposal initially applied to all operating systems, including open-source ones like Linux. Carl Richell, founder and CEO of System76 (the company behind the Pop!_OS Linux distribution), recognized the threat early. Based in Denver, Richell saw the bill as a direct challenge to the ethos of open source — a system where anyone can learn, modify, and redistribute code.
“Open source is the best way to learn computing,” Richell told The Verge. “There is nothing like learning from example, and the Linux desktop is a free, open-source example of how to build an entire operating system.” He argued that if a system can restrict how children use it — by blocking apps or denying root access — it breaks that learning potential.
Over several weeks, Richell worked with Colorado lawmakers, testifying before a House committee on April 23rd. He warned that the bill “unintentionally swept that world into its scope.” His persistence paid off on May 1st, when SB26-051 passed with an amendment exempting open-source operating systems. The exemption applies to software licensed in a way that permits recipients to copy, redistribute, and modify the software without platform-imposed technical or contractual restrictions. Richell called it a template for other legislatures to follow.
California’s AB 1043 and the spread of age-gating laws
While Colorado’s bill now sits on the governor’s desk, California’s AB 1043 remains the most influential law. It requires all operating systems sold or distributed in the state to include age verification by January 1, 2027. This has created a flurry of activity within the Linux ecosystem. The law poses practical problems: many open-source projects are volunteer-run with minimal budgets, and the nature of open source means that anyone can fork a project to remove age-gating features, raising questions about liability and enforcement.
Several other states are considering similar measures. Illinois has HB4140, which mirrors California’s requirement. New York’s S8102A goes even further, covering “any desktop, laptop, smartphone, tablet, or other device” that can access the internet. The Linux Foundation’s Michael Dolan criticized such mandates as “security theater, not improved child safety,” arguing they create new privacy risks while remaining easily circumvented.
How Linux distributions are responding
Responses from major Linux distributions vary widely. Canonical, the company behind Ubuntu, has taken a cautious approach. In a March 4th blog post, VP of engineering Jon Seager stated that Canonical is aware of AB 1043 and reviewing it internally but has no concrete plans for how or whether Ubuntu will change.
The Fedora Project leader, Jef Spaleta, suggested in February forum posts that a “local API” or adding an “age” field to the existing device ID mapping system could be a relatively privacy-friendly way to comply. Leading distributions like Ubuntu and Fedora may set precedents for smaller distros.
Others are more defiant. The developers of MidnightBSD, an open-source operating system, responded by modifying their license to exclude California residents from using MidnightBSD for desktop use as of January 1, 2027. While technically unenforceable in a practical sense, the move signals their refusal to comply.
Some developers are banking on jurisdictional loopholes. Zorin OS, based in Ireland, argued through its CEO Artyom Zorin that California law may not be enforceable against them since they have no physical presence there. Similarly, an unnamed Garuda Linux developer pointed out that the project’s servers and funds are in Finland and Germany, not the United States.
The Ageless Linux protest
The most overt act of defiance comes from the Ageless Linux project, created by developer John McCardle. Ageless Linux is a conversion script for Debian that replaces the standard “birthDate” field with a stub API that returns no data. The project’s website explicitly states it is designed to give children the ability to use Linux without age checks. McCardle provides detailed instructions: install Debian, run the script, hand the computer to a child. He even plans an “Ageless Device” — a sub-$15 single-board computer running Ageless Linux.
McCardle’s challenge to regulators is blunt: “The question is not whether this is legal. The question is whether anyone wants to spend the State of California’s money suing a person who handed a child a Linux USB drive.” He argues that AB 1043 works by making small developers afraid, because the cost of defending against even a frivolous action exceeds most open-source budgets. He says he would frame the receipt if fined.
Privacy and ethical considerations
Many privacy advocates oppose age verification laws on principle. The Linux Foundation’s Dolan emphasized that “open source exemptions reflect a better understanding of how these operating systems are developed and distributed, but they do not address the fundamental problem: There are more effective and less invasive ways to protect children online.” He pointed out that centralized age verification measures are easily bypassed, especially in open systems.
Carl Richell, after his success in Colorado, noted that the process of community engagement helped lawmakers see unintended consequences. He hopes other states will adopt similar approaches. Zorin OS’s Artyom Zorin encouraged users to contact local representatives and oppose invasive OS-level age verification, arguing that exemptions for open source are the only feasible solution. “The more invasive the age verification measures, the more likely users are to circumvent them,” he said.
The debate is also driving interest in Linux. Zorin OS released version 18 in October and has seen nearly 4 million downloads, over 78% from Windows and macOS users. Zorin believes restrictive measures on mainstream consumer tech will continue to boost Linux adoption. As he put it, “In a world where governments and big tech companies are increasingly exerting control over our own devices, we’re seeing more interest than ever in switching to more user-respecting alternatives.”
The open-source community now faces a critical choice: engage with lawmakers to shape exemptions, design technical solutions that protect privacy, or openly resist. What is clear is that the push for age-gated internet is far from over, and Linux developers are determined to ensure that the right to learn, experiment, and build with a computer remains available to everyone, regardless of age. The Colorado exemption may serve as a model, but with new bills emerging in multiple states, the battle is just beginning.
Source: The Verge News