Age verification laws will damage open source

In October 2025, California signed passed the California Assembly Bill 1043 (or AB-1043), or the "Digital Age Assurance Act." This is basically a "protect the children" law. But like most laws of this nature, it's poorly worded and overly broad, which means it will affect more people than just those it is meant for.

In this case, AB-1043 seems to target the Microsoft, Google, and Apple app stores. I am not a lawyer, but the text is not hard to read, so I think I have a good understanding of it. It's not a very long document, and I encourage you to read it for yourself: an original PDF document and HTML version are both available from the California website.

The bill starts with definitions, such as "Account holder," "Age bracket data," "Application," "Covered application store," "Developer," and "Operating system provider," which all seem to indicate an operating system where you can install applications from an app store. The next section provides the key points of the law. I've summarized the main issues here:

1798.501. (a) An operating system provider shall do all of the following:

1798.501. (a) (1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user's age bracket to applications available in a covered application store.

1798.501. (a) (2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:

…

1798.501. (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

Other sections in the bill require that if "account setup was completed before January 1, 2027, an operating system provider shall, before July 1, 2027, provide an accessible interface that allows an account holder to indicate" the user's age.

More than intended

AB-1043 it's not just about the "operating system," but applications too. AB-1043 also note that "the developer shall request a signal from a covered application store with respect to that user before July 1, 2027."

While this may have been meant to target Microsoft, Google, and Apple app stores, that's not how it's written. AB-1043 is written so broadly that it applies to everything.

"Applications" are defined as "a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application" and "Operating system provider" as "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device."

So this law applies to everyone, including developers who make and distribute operating systems and those who make and share open source applications. The law doesn't seem to make a distinction between an operating system with an app store and an operating system without one (where you install third-party apps). As a result, this would appear to apply to any open source application.

That's definitely not in the spirit of open source software, where you should be able to download and use an open source application, and study its source code, no matter who you are. The Open Source Definition specifically states "5. No Discrimination Against Persons or Groups" and doesn't indicate age, just that "must not discriminate against any person or group of persons." This law would require changing that approach, at least in California.

Some Linux distributions are starting to discuss how (or if) to implement features that support AB-1043, with technical challenges to consider, including how to meet the requirements as written. For example, an acceptable method for the operating system to "signal" the user's age bracket to an app is not defined in the bill, only that it is "age bracket data sent by a real-time secure application programming interface or operating system to an application."

Legacy systems

Also look beyond Linux to other operating systems, such as the classic DOS operating system. FreeDOS is a "retro" operating system that is compatible with the DOS operating system from the 1980s and 1990s. FreeDOS isn't the only open source DOS, although I'd argue it's the most used. The DOS application programming interface (API) is well defined and has remained unchanged since June 1994 when Microsoft released the last version of MS-DOS (6.22).

As a single-user operating system, DOS doesn't have a mechanism to create accounts—no DOS does, not FreeDOS, MS-DOS, DR DOS, PC DOS, or any other DOS. It's not possible for any DOS to track the age bracket of who is using it, which means there's no way for DOS applications to request a "signal" from the operating system to indicate the person's age.

Even if FreeDOS were to add some kind of "signal" mechanism, it's impossible to update the classic DOS applications from the 1980s and 1990s. Those are third-party apps, most of which are effectively "abandoned" after the developers went out of business.

Time to change

The next eight months are an opportunity to fix AB-1043 before it goes into effect on January 1, 2027. I encourage anyone living in California to reach out to your state representative and demand that AB-1043 be repealed before it goes into effect.

---

*Adapted from California’s age verification law is bad for open source by Jim Hall, with the author's permission