New York’s S8102A wants you to prove you’re an adult to use your exercise bike. California’s AB 1043—effective January 1, 2027—requires every operating system from Windows to Linux to collect user ages and report them to apps via API. Colorado’s following suit. On March 4, over 400 computer scientists from 30 countries signed an open letter warning these laws are “flawed” and will “cause more harm than good.” The next day, System76 CEO Carl Richell called them “ineffective and counterproductive” while announcing his company will comply anyway. Here’s the reality: these laws won’t protect children, will invade everyone’s privacy, and computer scientists are being ignored.
Technical Reality: VPNs, Lies, and Fake IDs Defeat Everything
The 400 scientists were blunt: age verification mandates are “easy to bypass.” California’s law proves it—users simply self-report their birthdate with zero verification. New York’s S8102A requires “commercially reasonable” verification but doesn’t define what that means. Meanwhile, 2025 studies confirm VPNs “remain the most reliable workaround.”
The French data protection authority put it plainly: “There is currently no solution that satisfactorily meets the requirements of effectiveness, reliability, and privacy-friendliness.” Translation? We don’t have the technology to do this without creating massive privacy risks.
Worse, empirical research shows age limits don’t reduce harm—they shift behavior to unregulated spaces. UK and Canada studies found restrictions “transform prohibitions from protection mechanisms into risk multipliers.” Kids don’t stop using the internet; they just use it in less safe, unmonitored ways.
The Privacy Cost: Third-Party ID Verification Creates Surveillance Infrastructure
New York’s bill goes further than California’s. Adults must prove they’re adults to use computers, smart watches, exercise bikes, and internet-enabled cars. Third-party verification means uploading ID documents—names, photos, birthdates, addresses—to companies with questionable security.
The risks aren’t theoretical. AU10TIX, a major age verification vendor, exposed user credentials for over a year. Names, dates of birth, nationalities, ID numbers, and document images—all leaked. The EFF calls these systems honeypots for hackers.
IEEE Spectrum explains the fundamental problem: “The only way to prove someone is old enough is to collect personal data about who they are. The only way to prove you checked is to keep the data indefinitely.” Age-restriction laws push platforms toward intrusive verification that directly conflicts with modern privacy law.
The scientists’ letter warns about what comes next: “Those enforcing them gain tremendous influence on what content is accessible to whom on the internet. This influence could be used to censor information.” Once identity verification infrastructure exists, it can be repurposed for surveillance and censorship.
How to Kill Open Source: Compliance Costs Small Projects Can’t Afford
On March 5, System76 CEO Carl Richell announced compliance despite vocal opposition. The reason? “Non-compliant Linux distributions will face ‘nerfed internet’ access for users.” Websites and apps will refuse to serve content without age signals. Canonical (Ubuntu) is also complying.
California’s definition is brutally broad: anyone who “develops, licenses, or controls” an operating system is liable. Penalties range from $2,500 to $7,500 per child in California, $10,000 per violation in New York. Implementation requires a D-Bus service on Linux to provide age data to apps.
Small open-source distributions face an impossible choice: build expensive compliance infrastructure or become unusable as websites block users without age signals. Windows and macOS will comply. Ubuntu and System76 will comply. But hundreds of community Linux distributions? They’ll die or cease to exist.
This is how you kill open source—regulatory compliance costs that big tech can afford but small projects can’t.
Why Politicians Ignored 400 Experts: Optics Over Evidence
Governor Newsom signed AB 1043 in October 2025 while simultaneously urging the legislature to amend it before January 2027, citing “complexities such as multi-user accounts shared by family members.” Translation: he knows it’s flawed but signed it anyway.
System76’s Richell was more direct: “The core issue is cultural rather than legal or technical.” The scientists recommended algorithm regulation, parental controls without third-party data collection, and digital citizenship education. Empirical studies show education and parental involvement far more effective than restrictions.
But those solutions don’t make headlines or let politicians claim they “protected children.” This is performative legislation—politicians choosing optics over evidence, ignoring unanimous expert opposition, and sacrificing privacy for political theater.
What Actually Works (But Politicians Won’t Touch)
The 400 scientists were explicit in their recommendations: “Regulation of social media algorithms” and “support for parents to locally prevent access to non-age-appropriate content or apps, without age-based control needing to be implemented by service providers.”
UK and Canada research confirms it: “Long-term protective effects are considerably higher where legal regulation and educational programs are closely interlinked.” The current approach—excluding kids from the internet—backfires when they find workarounds and use platforms in less safe, unmonitored environments.
We have evidence-based solutions that actually protect children without mass surveillance. Politicians chose the surveillance approach because it’s easier to pass a law than solve a cultural problem.
The Bottom Line
Four hundred computer scientists from 30 countries said these laws are flawed. The French data protection authority says there’s no technical solution that works. Empirical research shows restrictions increase harm. A major age verification vendor already leaked user data.
Politicians passed the laws anyway.
California’s AB 1043 takes effect January 1, 2027. New York and Colorado are following. Open-source projects will comply, die, or become unusable. Everyone’s privacy gets invaded. And children won’t be any safer.
This is what happens when lawmakers ignore technical reality for political optics. We built surveillance infrastructure that fails at its stated goal, killed open-source viability in entire states, and created honeypots of sensitive identity documents waiting to be breached.
Meanwhile, the solutions that actually work—algorithm regulation, education, parental controls—sit ignored because they require ongoing effort instead of one-time legislative theater.
