That is ok. The writing was on the wall for a while. It is time to let it go. It served its purpose. We might as well start mapping out a way without it in a more serious way out of sheer necessity. I know I am.
Good on them. Devices shouldn't collect any extraneous data by default other than that needed to fulfill a feature a user consciously selects, and that includes this stupid age verification spyware regimes are pushing.
An adult had to pay for the ISP connection; that's the extent of age verification needed. We shouldn't be demanding adults expose their identities to for-profit entities and surveillance states, so much as mandating for-profit companies make parental controls easier to use, more effective, and stopping them from harvesting data on kids in the first place.
Not every corner of the universe needs to be baby-proofed; we just need to build a society where parents are enabled and supported to be parents, rather than outsourcing such a critical role to strangers and/or devices so they can get back to work.
Apps requesting an age is not extraneous and there are many legal and safety reasons why an app may collect this information. If the operating system doesn't do it you run into the cookie banner situation where every individual site has to implement a dialog box asking the user instead of there being a standardized way to do it.
Wasn't most of the hype surrounding the Motorola partnership based on the idea that you'd be able to get a device with GrapheneOS pre-installed, boosting the legitimacy of GrapheneOS as a competitor to Google Android? Sure, "GrapheneOS adds several more supported devices" is cool and all, but it's not nearly as exciting...
If shipping a specific device configuration to the US is illegal, Motorola should not ship this specific device configuration to the US.
I do not think our parent is suggesting otherwise.
AFAIK Motorola and GrapheneOS are not merging, they are getting into a partnership. They do not have to think or do exactly the same.
Apple can comply with both CCP and US demands at the same time without a problem. I am sure Motorola can adjust their services to the markets they are working in, as well.
They are not building a product that cannot be sold in their primary market. They are not designing GrapheneOS devices, they are improving existing devices to meet GOS requirements. There will still be an OEM OS for those devices. Preinstalled GOS devices can simply not be sold there.
I think that malicious compliance all the way might have been the better option here. If a birth date is all that is needed, let the user enter a random one. If actual biometric verification is needed alongside, let the user also paste the code to a fake biometric validator that always returns valid.
It is the same philosophy as with an app that forcibly wants an invasive permission to the detriment of the user. Let the app have the permission while in a sandbox so it sees nothing.
Giving in in any capacity is unacceptable. The GrapheneOS foundation is based in Canada and is not obligated to record this information, so they wont. They have no reason to comply, be it malicious or otherwise.
Agreed. This is one of those moments you might as well simply say no. For practical reasons too, your users do have options and tend to be the kind that will drop a distribution if it goes rogue.
They are not on an island; they need to function in society. If they want people outside Canada to use GrapheneOS, then they need to comply with local laws.
Maybe they don't care about that. Maybe they just want to make a secure phone OS, as a sort of hobby, and don't care if anyone uses it but themselves. That's ok too.
People who live in authoritarian states like North Korea or California can (and arguably should) ignore the fact that GrapheneOS is illegal where they live and use it anyway.
If you want a privacy-violating OS, there are already two big options on the market. A secure OS for people who do not live in authoritarian surveillance states offers a benefit to some people, even if not all people. A third privacy-violating OS offers no value to anyone anywhere in the world.
You'd need to closely read the law and have a lawyer advise you, but a neat attempt might be to just ask for the date of birth, send that "in real time" to the App Store program, and then have that program simply discard it?
I don't think current iterations of the law require that this be sent off-device in any way.
The second requirement of the California law is that there be an API available to all apps that returns the age band a user is in -- one of:
age < 13
age >= 13 && age < 16
age >= 16 && age < 18
age >= 18
A non-maliciously compliant implementation would need to retain a date of birth or equivalent until the user was over 18.
A maliciously compliant API could just wait 18 years after account creation before yielding an answer. (remember folks: "real time" does not mean "fast").
One of the oddities about the way the law is phrased is that it requires the age band information about the user be provided to "the developer" rather than to the application.
As they should, I was personally surprised so many people were surprised come ICE raids that government can buy and track location via apps, advertising and your phone in general. Regular people need an idea, who is.. uhh.. less likely to sell them down the river.
This is emblematic of a misunderstanding technologists often have about the law. We try to treat it like code we can exploit and hack around. But there is no compiler deterministically producing outcomes. Of course, this misunderstanding is often bolstered by the accurate observation that lawyers and businesses find loopholes and favorable interpretations that to us appear much like the exploits we propose. The critical element that's often missed, though, is the human one. To get away with an exploit, to have the case law updated to reflect your favorable interpretation, you need power, influence, and alignment on your interests. There are tax "loopholes" now that are commonly used but in a prior era, under the same laws, would have seen you dragged into court and eviscerated. If you tried your cute SD card trick a judge would tear you a new one. If Microsoft tried it, they could maybe talk to the right people before the case and come to an understanding that this little loophole was convenient for dev devices or something, and convince a judge to rule that they could do it, but only if accompanied by some external age confirmation they could self-attest to, with some wording that makes it clear that the trick is only usable by large and well-respected institutions. The law is not an impartial arbiter that you can outsmart. It's the enforcement mechanism for multiple tiers or rules that bind different classes. This age gathering law is a classic moat law. It exists to prevent outgroups from shipping software that's incompatible with this age communication system, and in a business-to-business context serves to establish obligations between ingroup members. Any other clever interpretation of the law will be discarded regardless of specific wording.
Virtue signal away. I’m with whatever device and OS purveyors are willing to tell these tyrants to get stuffed.
I haven’t cut over to it completely yet but I think this’ll be the last nail in the coffin for my time as an Apple user. It’s already a loveless marriage , it’s already over, I’m already sleeping with GrapheneOS on the side. it’s asking when I’m going to leave her and it’s always “soon, baby. soon.”
That raises the issues that GrapheneOS needs to solve, which may require more creativity than bold, somtimes combative statements.
If GrapheneOS doesn't comply with laws and regulations then they will sometimes be banned or restricted. If that happens, they may not be "usable by anyone around the world" for long.
That doesn't mean they have to capitulate or sacrifice security. They can find creative solutions, some of which are suggested here. The first step is to carefully read the spec to determine what is necessary, then talk to someone like the EFF, and find a way forward.
I know it's gonna be a very unpopular opinion. I do like, appreciate, respect & admire that they are ready to die on a hill. I just don't think it's the right hill. I do not have an issue with the legality of it. Rather I think age verification is actually not bad. Sure i see the potential danger. But there is potential benefits, that'd counter the danger, by a lot.
In different times, i might have argued differently. I'm not saying it's not worth protecting the world you deem worthy of protection. But no matter what that world is to any of you. The one we all share is changing for sure. Uncontrollably fast. And many things are gonna change. And many things won't matter that much anymore, if we actually end up going where we're headed.
I mean a this is just a super small part of it all, but i assume in this specific case, for graphene, it's a battle for privacy... and they're right. But we're still going into a future where we got 5,10,20,30 more years of "AI", even just keeping the same level of overall sophistication for most, but costs decreasing immensely... I don't know about you, but I don't think the ways we protect our privacy can be unaffected, already because we're going to learn all new aspects about which data is private. Just out of practicality. Extreme example: but if generating hundreds of obscene deepfakes of any person as easily as taking a photo with your iPhone... ah, i can't keep having this discussion, i hope i am just an insane moron who is wrong. But, just to be sure: instead of arguing if we should close the windows on the train that's burning, or leave them open, as some are smart and others need help, let's just get off the fucking train.
And yes of course. One might argue (I actually would), we should not start implementing laws like that or start making personal information a requirement to digital access.
But this might be the first step to a different future, or not. As i said, who cares where the train is headed. It's burning and nobody even really wants to be on it. Let's please get off the train.
Not saying the battle is lost. I have tried working on something because I still have great hope. But someone seriously must act. I tried, getting off the train. Or at least start standing up from my seat. Realizing it's not that easy to get off. It's embarrassing, but i can't even get off the train by myself... i tried anyway... but here i am, sitting again (currently on the floor, lost my seat, damn...)... i have been building something for the past 2 years. Well, trying to build something, an attempt to change course... ruining my life over it. And currently i failed, before i even got to a point where my prototype or any of the theoretical work even remotely represents the vision. But maybe i just learned, i was wrong about all of it. I hope i'll make it back being able to afford working on it and someday a way to make enough money to pay smarter people than me to join. But currently, it's insane for me for me to even dare dreaming about that. I have really dug myself a hole. Next time, it should at least be a hill...
So in the meantime: can people like the dudes & dudiñas from graphene please chose a wiser battle. If just some of all these people got together & worked on getting off the train, instead of working on things that seem meaningful now, but wouldn't even be considered worthy of being mentioned in the future... we'd have a shot.
Damn. I still just can't accept it, even though i've literally lost everything believing that. And i am ashamed so deeply believing in what i saw, and in friendly moments still see, as a future... thinking i could change it, without changing myself... but please god, in the end, let me not have been just bonkers, but convicted.
I appreciate the thought, but I personally disagree having seen the patterns of the past 2-3 decades. There is zero real benefit to it save powers that be. Honestly, the only reasonable move forward is non-compliance. Everything else results in steady inching towards full blown panopticon ( and some would argue that we are already there ).
In the meantime systemd already added handling for Age to the system bus. Next step is to add your race, then income, then who you voted for...
Finally we can set the evil bit correctly on a kernel level.
That is ok. The writing was on the wall for a while. It is time to let it go. It served its purpose. We might as well start mapping out a way without it in a more serious way out of sheer necessity. I know I am.
Western tech direction in the last 5 years:
https://www.youtube.com/watch?v=nXL-r8deB5o
GrapheneOS also posted about it on their Mastodon / Fediverse account: https://grapheneos.social/@GrapheneOS/116261301913660830
Good on them. Devices shouldn't collect any extraneous data by default other than that needed to fulfill a feature a user consciously selects, and that includes this stupid age verification spyware regimes are pushing.
An adult had to pay for the ISP connection; that's the extent of age verification needed. We shouldn't be demanding adults expose their identities to for-profit entities and surveillance states, so much as mandating for-profit companies make parental controls easier to use, more effective, and stopping them from harvesting data on kids in the first place.
Not every corner of the universe needs to be baby-proofed; we just need to build a society where parents are enabled and supported to be parents, rather than outsourcing such a critical role to strangers and/or devices so they can get back to work.
Apps requesting an age is not extraneous and there are many legal and safety reasons why an app may collect this information. If the operating system doesn't do it you run into the cookie banner situation where every individual site has to implement a dialog box asking the user instead of there being a standardized way to do it.
> An adult had to pay for the ISP connection
In many countries, it is still possible to buy a prepaid SIM without any ID.
How's that gonna pan out with Motorola?
Motorola likely wont sell devices with GOS preinstalled in those regions.
Wasn't most of the hype surrounding the Motorola partnership based on the idea that you'd be able to get a device with GrapheneOS pre-installed, boosting the legitimacy of GrapheneOS as a competitor to Google Android? Sure, "GrapheneOS adds several more supported devices" is cool and all, but it's not nearly as exciting...
More likely they will just add their own age widget themselves
If Motorola have a problem with it, they obviously aren't the right partner for Graphene.
Graphene obviously won't want to partner with a company that immediately bends over backwards for this kind of puritanical nonsense.
Motorola wont break the law. They just wont sell preinstalled devices, if preinstalled devices was even on the table for 2027.
Motorola will obviously have a problem with violating the law in several US states.
Like, what's unclear here? Do you seriously say that corporations should just ignore laws which they don't like?
If shipping a specific device configuration to the US is illegal, Motorola should not ship this specific device configuration to the US.
I do not think our parent is suggesting otherwise.
AFAIK Motorola and GrapheneOS are not merging, they are getting into a partnership. They do not have to think or do exactly the same.
Apple can comply with both CCP and US demands at the same time without a problem. I am sure Motorola can adjust their services to the markets they are working in, as well.
Motorola is pretty much only present in US these days, why would they build a product that can't be sold in their primary market?
Demanding that OSes outright violate the law because you disagree with your own elected government is pretty insane.
Can't speak about other continents but Motorola smartphones are at least available all over Europe so your initial statement is incorrect.
They are not building a product that cannot be sold in their primary market. They are not designing GrapheneOS devices, they are improving existing devices to meet GOS requirements. There will still be an OEM OS for those devices. Preinstalled GOS devices can simply not be sold there.
I think that malicious compliance all the way might have been the better option here. If a birth date is all that is needed, let the user enter a random one. If actual biometric verification is needed alongside, let the user also paste the code to a fake biometric validator that always returns valid.
It is the same philosophy as with an app that forcibly wants an invasive permission to the detriment of the user. Let the app have the permission while in a sandbox so it sees nothing.
Giving in in any capacity is unacceptable. The GrapheneOS foundation is based in Canada and is not obligated to record this information, so they wont. They have no reason to comply, be it malicious or otherwise.
Agreed. This is one of those moments you might as well simply say no. For practical reasons too, your users do have options and tend to be the kind that will drop a distribution if it goes rogue.
They are not on an island; they need to function in society. If they want people outside Canada to use GrapheneOS, then they need to comply with local laws.
Maybe they don't care about that. Maybe they just want to make a secure phone OS, as a sort of hobby, and don't care if anyone uses it but themselves. That's ok too.
As they stated "If GrapheneOS devices can't be sold in a region due to their regulations, so be it."
People who live in authoritarian states like North Korea or California can (and arguably should) ignore the fact that GrapheneOS is illegal where they live and use it anyway.
If you want a privacy-violating OS, there are already two big options on the market. A secure OS for people who do not live in authoritarian surveillance states offers a benefit to some people, even if not all people. A third privacy-violating OS offers no value to anyone anywhere in the world.
Asking the device owner for the user's birth date is precisely what the (California) law requires.
Biometrics are not required.
The concept appears to be that a parent or guardian could enter the birth date before turning the device over to a child.
Malicious compliance would be providing this age bracket API:
boolean is_user_over_18() { sleep (18 * 365.25 * 86400); return true; }
This is a real-time interface (as required by the law) that takes 18 years to complete. (Remember: "Real-time" does not mean "fast").
You'd need to closely read the law and have a lawyer advise you, but a neat attempt might be to just ask for the date of birth, send that "in real time" to the App Store program, and then have that program simply discard it?
I don't think current iterations of the law require that this be sent off-device in any way.
The second requirement of the California law is that there be an API available to all apps that returns the age band a user is in -- one of:
age < 13
age >= 13 && age < 16
age >= 16 && age < 18
age >= 18
A non-maliciously compliant implementation would need to retain a date of birth or equivalent until the user was over 18.
A maliciously compliant API could just wait 18 years after account creation before yielding an answer. (remember folks: "real time" does not mean "fast").
One of the oddities about the way the law is phrased is that it requires the age band information about the user be provided to "the developer" rather than to the application.
Agree. I didn't even think of that. Embarrassing. Your approach might have been the best option.
Seems like a pure virtue signaling: they don't sell or make hardware. It is mandated only for pre-installed operating systems, from what I understand.
As they should, I was personally surprised so many people were surprised come ICE raids that government can buy and track location via apps, advertising and your phone in general. Regular people need an idea, who is.. uhh.. less likely to sell them down the river.
They've partnered with Motorola to have it preinstalled on phones, this is in TFA.
Preinstalled devices is not the main goal of the partnership. GOS is ok without having that to start. Motorolas stock OS will still be available.
Could just ship it along on an SD card with a single button install you do yourself. Technically not preinstalled.
This is emblematic of a misunderstanding technologists often have about the law. We try to treat it like code we can exploit and hack around. But there is no compiler deterministically producing outcomes. Of course, this misunderstanding is often bolstered by the accurate observation that lawyers and businesses find loopholes and favorable interpretations that to us appear much like the exploits we propose. The critical element that's often missed, though, is the human one. To get away with an exploit, to have the case law updated to reflect your favorable interpretation, you need power, influence, and alignment on your interests. There are tax "loopholes" now that are commonly used but in a prior era, under the same laws, would have seen you dragged into court and eviscerated. If you tried your cute SD card trick a judge would tear you a new one. If Microsoft tried it, they could maybe talk to the right people before the case and come to an understanding that this little loophole was convenient for dev devices or something, and convince a judge to rule that they could do it, but only if accompanied by some external age confirmation they could self-attest to, with some wording that makes it clear that the trick is only usable by large and well-respected institutions. The law is not an impartial arbiter that you can outsmart. It's the enforcement mechanism for multiple tiers or rules that bind different classes. This age gathering law is a classic moat law. It exists to prevent outgroups from shipping software that's incompatible with this age communication system, and in a business-to-business context serves to establish obligations between ingroup members. Any other clever interpretation of the law will be discarded regardless of specific wording.
Right, my bad. It's easy to forget our society is a convoluted backroom quid pro quo even if we pretend otherwise on paper.
Sounds like it exposes a ton of attack surface. Better to just have a card with a link to the webinstaller, probably.
I'm sure noone in the legal system of California would notice that trick!
Well correct me if I'm wrong but dumb laws are usually not written by people who know much shit about fuck. So it's entirely possible they wouldn't.
Virtue signal away. I’m with whatever device and OS purveyors are willing to tell these tyrants to get stuffed.
I haven’t cut over to it completely yet but I think this’ll be the last nail in the coffin for my time as an Apple user. It’s already a loveless marriage , it’s already over, I’m already sleeping with GrapheneOS on the side. it’s asking when I’m going to leave her and it’s always “soon, baby. soon.”
Its a statement for the future. They arent bound to add this now but they could be in the future. They will adapt accordingly to avoid it.
The GrapheneOS Mastodon post says,
"GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account."
https://grapheneos.social/@GrapheneOS/116261301913660830
That raises the issues that GrapheneOS needs to solve, which may require more creativity than bold, somtimes combative statements.
If GrapheneOS doesn't comply with laws and regulations then they will sometimes be banned or restricted. If that happens, they may not be "usable by anyone around the world" for long.
That doesn't mean they have to capitulate or sacrifice security. They can find creative solutions, some of which are suggested here. The first step is to carefully read the spec to determine what is necessary, then talk to someone like the EFF, and find a way forward.
I know it's gonna be a very unpopular opinion. I do like, appreciate, respect & admire that they are ready to die on a hill. I just don't think it's the right hill. I do not have an issue with the legality of it. Rather I think age verification is actually not bad. Sure i see the potential danger. But there is potential benefits, that'd counter the danger, by a lot.
In different times, i might have argued differently. I'm not saying it's not worth protecting the world you deem worthy of protection. But no matter what that world is to any of you. The one we all share is changing for sure. Uncontrollably fast. And many things are gonna change. And many things won't matter that much anymore, if we actually end up going where we're headed.
I mean a this is just a super small part of it all, but i assume in this specific case, for graphene, it's a battle for privacy... and they're right. But we're still going into a future where we got 5,10,20,30 more years of "AI", even just keeping the same level of overall sophistication for most, but costs decreasing immensely... I don't know about you, but I don't think the ways we protect our privacy can be unaffected, already because we're going to learn all new aspects about which data is private. Just out of practicality. Extreme example: but if generating hundreds of obscene deepfakes of any person as easily as taking a photo with your iPhone... ah, i can't keep having this discussion, i hope i am just an insane moron who is wrong. But, just to be sure: instead of arguing if we should close the windows on the train that's burning, or leave them open, as some are smart and others need help, let's just get off the fucking train.
And yes of course. One might argue (I actually would), we should not start implementing laws like that or start making personal information a requirement to digital access.
But this might be the first step to a different future, or not. As i said, who cares where the train is headed. It's burning and nobody even really wants to be on it. Let's please get off the train.
Not saying the battle is lost. I have tried working on something because I still have great hope. But someone seriously must act. I tried, getting off the train. Or at least start standing up from my seat. Realizing it's not that easy to get off. It's embarrassing, but i can't even get off the train by myself... i tried anyway... but here i am, sitting again (currently on the floor, lost my seat, damn...)... i have been building something for the past 2 years. Well, trying to build something, an attempt to change course... ruining my life over it. And currently i failed, before i even got to a point where my prototype or any of the theoretical work even remotely represents the vision. But maybe i just learned, i was wrong about all of it. I hope i'll make it back being able to afford working on it and someday a way to make enough money to pay smarter people than me to join. But currently, it's insane for me for me to even dare dreaming about that. I have really dug myself a hole. Next time, it should at least be a hill...
So in the meantime: can people like the dudes & dudiñas from graphene please chose a wiser battle. If just some of all these people got together & worked on getting off the train, instead of working on things that seem meaningful now, but wouldn't even be considered worthy of being mentioned in the future... we'd have a shot.
Damn. I still just can't accept it, even though i've literally lost everything believing that. And i am ashamed so deeply believing in what i saw, and in friendly moments still see, as a future... thinking i could change it, without changing myself... but please god, in the end, let me not have been just bonkers, but convicted.
(As if that, would be, any different).
I appreciate the thought, but I personally disagree having seen the patterns of the past 2-3 decades. There is zero real benefit to it save powers that be. Honestly, the only reasonable move forward is non-compliance. Everything else results in steady inching towards full blown panopticon ( and some would argue that we are already there ).