Linux Developers Battle Age-Gated Internet

In January, Colorado lawmakers introduced a bill requiring operating systems to collect user ages and pass that data to app developers. SB26-051 was clearly tailored for commercial giants like iOS and Android, part of a broader push to age-gate the internet at the device level. The goal was to help developers block age-inappropriate content for children. But when Carl Richell, founder and CEO of Denver-based System76 and creator of the Pop!_OS Linux distribution, read the proposal, he was alarmed.

Richell quickly realized the law would likely apply to his small business. Without the vast resources of Apple or Google, complying would be a logistical nightmare. More fundamentally, he believed it would undermine the core principles of open-source software. Open source, he told The Verge, is “the best way to learn computing. There is nothing like learning from example, and the Linux desktop is a free, open-source example of how to build an entire operating system.” A system that restricts how children interact with apps or denies them root access, he argued, “breaks that.”

Richell engaged directly with state lawmakers, spending weeks advocating for changes and posting updates online. On April 23rd, he testified before a Colorado House committee. “Everyone should have access to the ability to create with a computer,” he said. “Open-source software makes that possible. It ensures that everyone, regardless of age or background, can learn, experiment, and build at the most fundamental level.” He warned that the bill, as written, “unintentionally swept that world into its scope.”

His persistence paid off. On May 1st, SB26-051 passed with an exemption for open-source operating systems like Linux. “We have created a template that I hope other legislatures adopt,” Richell told The Verge.

Richell’s experience ended well, but age verification laws remain a contentious issue across the open-source community. As several U. S. states debate similar rules, some developers are still figuring out how to respond. Others are openly defying the new regulations. And a few, like Richell, are trying to educate lawmakers about the unique challenges of open-source software.

Concern escalated late last year when California passed AB 1043. Starting January 1st, 2027, operating systems and app stores in California must collect users’ ages during device setup. Open-source developers and users were left wondering how the law would apply to them , or if it even could.

The practical hurdles are significant. Many open-source projects are volunteer-run and lack the funding for age verification (also called “age assurance” or “age attestation”). The nature of open-source software makes compliance even more complex. If a developer adds age-gating tech, someone else can simply fork the software and strip out those measures. And if legal action follows, liability is unclear.

Beyond logistics, age verification clashes with the ethos of many open-source projects, which prioritize privacy, customization, and minimal data collection. Developers now face a difficult choice: respect user privacy or comply with the law.

“Protecting children online is absolutely important,” said Michael Dolan, SVP of strategic programs at the Linux Foundation. “However, age verification mandates imposed on open source systems create new privacy risks while remaining easily circumvented. This is security theater, not improved child safety.”

California is not alone. Colorado’s bill, now awaiting the governor’s signature, was modeled on California’s. Illinois’ HB4140 is similar. New York’s S8102A would require age assurance on any device that can access the internet.

Some developers have yet to announce their plans. Jon Seager, VP of engineering at Canonical (the company behind Ubuntu), wrote in a March blog post that the company is “aware of the legislation and is reviewing it internally with legal counsel, but there are currently no concrete plans on how, or even whether, Ubuntu will change in response.”

Other distros are exploring ways to comply while minimizing privacy intrusion. Fedora Project leader Jef Spaleta suggested a “local API” or adding an “age” field to existing device ID mappings. Leading distributions like Ubuntu and Fedora could set a precedent, but some developers are avoiding compliance altogether, out of confusion or defiance.

The team behind MidnightBSD took an adversarial stance on X in February: “Until we have a better plan, we modified our license to exclude residents of California from using MidnightBSD for desktop use, effective January 1, 2027.” While nothing technically stops Californians from downloading it, the developers hope to avoid liability without altering their OS.

Some developers are banking on geography. “As we’re based in Ireland and don’t have any physical presence or nexus in California, there’s a possibility that this law may not be realistically enforceable,” said Artyom Zorin, CEO of Zorin OS, in a March forum post. One Garuda Linux developer echoed this: “Last time I checked, California law does not (yet) apply where I live.”

Others are openly defying the law. Ageless Linux, a conversion script for Debian, replaces the “birthDate” field with “a stub age verification API that returns no data.” Created in protest, it records no user ages. Developer John McCardle is essentially challenging regulators. “The question is not whether this is legal,” the site states. “The question is whether anyone wants to spend the State of California’s money suing a person who handed a child a Linux USB drive.”

McCardle provides detailed instructions for distributing Ageless Linux to children and even plans an “Ageless Device” , a sub-$15 single-board computer running the script. He argues that laws like AB 1043 don’t need to be enforced to have an impact: “It works by making small developers afraid. It works because the cost of defending against even a frivolous AG action exceeds the entire annual budget of most open-source projects.”

Many privacy advocates oppose these laws categorically. “Open source exemptions reflect a better understanding of how these operating systems are developed and distributed, but they do not address the fundamental problem,” said the Linux Foundation’s Dolan. “There are more effective and less invasive ways to protect children online than centralized, easily bypassed age verification measures.”

At a minimum, Carl Richell and others hope lawmakers will offer carveouts for open-source software. “SB51 is about identifying who’s a kid in a closed ecosystem,” he said. “Applying that broadly can push age verification into open systems that were never built to collect that kind of information in the first place.”

The final text of Colorado’s law exempts anyone making or providing an operating system or application under license terms that permit copying, redistribution, and modification without platform-imposed restrictions. Richell says this is tied to “user rights inherent in open source software” and avoids covering projects that don’t align with its spirit.

Richell noted that the bill’s sponsors invited community input, and most suggestions were included in amendments passed on April 23rd. “That kind of process may not happen everywhere, but the general approach can translate,” he said. “Many of these bills are written without a deep understanding of how open-source software is developed and distributed. When developers and users engage early and explain the mechanics, it helps policymakers see where broad requirements could create unintended consequences.”

Zorin encouraged users to contact their representatives and oppose invasive age verification. Short of blocking the laws entirely, he sees a carveout as the only reasonable solution.

“We don’t see any other way these age verification laws could feasibly work other than to exempt open source operating systems entirely,” Zorin told The Verge. “In the worst-case scenario where all operating systems must legally include age verification by default, Linux users could simply remove or overwrite the age verification components in their systems to circumvent any such checks. The more invasive the age verification measures, the more likely users are to circumvent them in this way. It is up to lawmakers to make the effort to understand this reality.”

If open-source exemptions become common, they could drive more users to Linux. The platform has already seen a surge among Steam users, possibly fueled by Microsoft ending Windows 10 support. Zorin OS 18 has seen nearly 4 million downloads since its October release, over 78 percent from former Windows and macOS users.

“In a world where governments and big tech companies are increasingly exerting control over our own devices, we’re seeing more interest than ever in switching to more user-respecting alternatives,” Zorin said. “If more and more restrictive measures are legally mandated on mainstream consumer tech, we’re likely to see Linux adoption continuing to break records.”