tl;dr: the “project” of open source age verification will inevitably implode — probably messily — and waste everyone’s time whilst also reifying narrative of “support” for an approach to user safety that will not deliver its purported benefits.

Here I explain why it will fail from the perspective of ~40 years of free software and open-source coding.

And it’s not “because the user will switch it off”

---

If you strew a metaphorical rope in front of a bunch of geeks, they will rapidly group together, split into two or more factions, and engage in tugs of war with each other whilst arguing importantly over architectural and strategic errors that the other team is making.

You can go browse the sorry husk of StackOverflow for evidence, but this has also always been the case; for any given software niche there are mutually-hostile solutions:

• System V vs BSD
• 386 BSD vs Minix vs Linux vs Hurd
• ( FreeBSD vs NetBSD vs OpenBSD (each other)) all vs Linux
• Subversion vs Git vs Mercurial vs …
• OpenOffice vs LibreOffice
• MIT License vs GPL vs Apache License vs …
• Emacs vs XEmacs vs Lucid vs …
• MySQL vs MariaDB
• X11 vs XFree86 vs Wayland (… vs CLI)
• Jenkins vs Hudson
• Motif/CDE vs OPENLOOK
• KDE vs Gnome
• CORBA vs SOAP vs REST
• Applets vs ActiveX
• Java vs C#
• MSPassport vs Project Liberty
• XML vs Protobus vs JSON vs …
• JavaScript vs ECMAScript
• HTML5 vs everyone
• Systemd vs System V Init
• Twitter vs Mastodon
• [insert any number of Linux distributions]
• …the list continues indefinitely; this is not free-market competition so much as it is rap-artists both working and dissing each other’s work

Software Development in general and Open Source in particular institutionalises “exit” and “competition”, and it is in the nature of the open-source community for people to become sufficiently angry or otherwise motivated to rage-quit an existing project and attempt to set up “differently” for any number of reasons, from project governance to solution architecture to implementation language to personal/corporate conflict to complete ignorance or hatred of existing approaches.

This does not always happen, but long-term consistency of a project usually is a result of a combination of two or more of:

1. creation of a solution ecosystem or platform, rather than filling a functional niche
2. clear, collective vision of user resources, user needs, user metaphor, and architectural design and approach
3. solid yet uncontroversial governance, often pivoting around a BDFL / Benevolent Dictator For Life (Torvalds, Van Rossum, Wall, …) and user-centric ideology

Why Age Verification (AV) will Fail in Open Source

Basically: AV is not a governed visionary ecosystem, it’s a tickbox compliance requirement.

It’s a free-for-all.

Subsequent to announcement that the State of California will demand AV, any number of junior devs now want to make names for themselves by being “first to ship this important feature” and so they will come up with half-assed solutions that fit within their preferred ecosystem (e.g.: DBus/Ubuntu) and nowhere else.

This is fine. Think of it as your five year old kid at the beach making a sandcastle. That’s what they do. They will demand applause, but it’s still an imaginary thing. And there will be dozens of sandcastles on the beach in short order, and they will all prosecute war amongst themselves.

The thing is: Age Verification is literally a gatekeeping solution. If it is to be effective at all, it must be deployed in situations where gatekeeping makes sense — and general purpose operating systems are not those places.

This is a point we’ve already learned from the likes of Digital Rights Management and different methods of copy-prevention for Floppy Disks, CDs and DVDs. To be effective the scope of the gatekeeping needs to be beyond user control, which is not the case in operating systems. Various workarounds such as Trusted Platform Modules have been proposed in-past, and (surprise!) they don’t work well (often: not at all) in Open Source operating systems where the intent is to exclude the user.

If you want to understand the background some more, go read The Coming War On General Purpose Computing — because we’ve seen this coming for more than a decade.

So: to wrap this up really briefly:

• Age Verification for Linux will create a bazaar of diverse non-solutions — lacking common foundations, visions, intentions
• …also utterly lacking the technical means to exclude the user from their own computer
• …and these competing “solutions” will aim, primarily, to get a few cheap headlines and ideally a puff-piece in the Guardian before they either fade naturally from lack of adoption, or are slashed-to-death by infosec practitioners; one or two might make it into a big distribution, and circumventions will rapidly arrive

Gatekeeping and Age Attestation

Privacy Wonks will hate it, but Mark Zuckerberg is correct that the proper place for prescriptive Age Verification is in the App Store of a mobile device; yes, that means Google and Apple will “find out more about you” but that can be minimised if they choose to implement a privacy-preserving protocol a-la what happened over COVID tracking.

The reason people are angry about this is that they don’t understand that the App-Store-and-Google/Apple-Account approach to AV is a degenerate form of what we should have been doing all along: age attestation, not age verification.

The user should be signed up with their own preferred provider of private age-attestation services which they can enmesh into whatever transactions they require an age test for; this puts the user in control of provider choice and information protection, and the reliant parties — vendors, porn sites, forums, whatever — should be obliged to accept attestation tokens.

But we don’t do that, probably because (a) it makes less money for the industry and (b) because Governments get more ID tracking metadata with the age verification approach.