Age Verification Laws and Free Software: A Legal Expert Tells Us What's Actually at Stake

I walked into this interview more nervous than usual. Age verification is one of those topics where I've had strong reactions, but haven't been able to fully communicate them. It's also inherently a charged topic given it involves child safety, and every time I try to make sense of what's actually happening...the systemD birthdate field, MidnightBSD banning California users, Apple rolling out age checks in the UK...I end up with more questions than answers.

Jithendra Palepu has a legal background and works in tech law, policy, and open source governance with the FSFE. He's been deep in this fight so I brought him on Techlore Talks to discuss the questions I (and many of you!) had to try and add more clarity around these discussions.

The terminology problem is bigger than you think

Before we could even talk about whether these laws are good or bad, Jithendra made me slow down on the vocabulary. There are four distinct things that often get lumped under "age verification"—and they're not the same:

• Age verification: actual government ID or biometric checks. "Show me your papers."
• Age estimation: an algorithm guesses your age based on data signals.
• Age gating: a hard ban: below this age, you cannot proceed at all.
• Self-declaration (or self-attestation): the classic "are you 18?" checkbox we've all clicked since the early internet based on a trust system.

This distinction matters. Jithendra outlines how a lot of the panic in the free software community has been treating every law as if it's demanding government ID checks, and so he consistently reiterated throughout the interview to try and properly appreciate the spectrum of concerns.

Me: California's law—is it actually as bad as people are saying?

Jithendra: "In the context of the California bill, it's only asking for self-declaration. So they're not verifying anything of that sort. I would not call that age verification per se."

Me: What about the slippery slope? Self-declaration today, ID checks tomorrow?

Jithendra: "We should basically ensure that these things don't go beyond that. We don't need age assurance technology. We don't need some third party verifying somebody's IDs...we've seen how badly they fail in practice. And they enable all kinds of malpractices."

His position isn't "don't worry about it." It's "fight the right battle at the right time." Third-party biometric identity verification absolutely is the right battle and it's already happening in many regions around the world. So it's important we direct our outrage towards the correct problems.

The MidnightBSD situation is a real problem—just not for the reason people think

MidnightBSD recently changed its license to block users from California. The intention was to push back against age verification laws. But Jithendra pointed out that this move actually violates one of the core principles of free and open source software: no discrimination against any section of users.

Jithendra: "When the definition says that there should not be any discrimination on certain sections of society in the use of the software—the license change that we saw was that users from California are not allowed to use the software. These are the things we should be really mindful of, because these are core principles of free and open source software."

In other words: the reaction to protect software freedom ended up undermining software freedom. That's the trap Jithendra is warning about.

The UK is where things get genuinely scary

The slippery slope isn't hypothetical. In the UK, it's already being proposed. The UK isn't messing around with checkboxes. They're implementing real age verification—and now they want to extend it to VPNs, which is a meaningful escalation.

Jithendra was candid: he doesn't know how UK-style enforcement is even technically possible. "I'm not sure how this can be enforced per se." But the intent is there, and that intent matters.

Would OS-Level Age Verification Even Be Legal Under GDPR?

A Techlorian asked a good question: would OS-level age verification even be legal in the EU under GDPR—a framework that treats even IP addresses as personal data? Jithendra's answer was careful...

Jithendra: "We need to assess it on a case-by-case basis. I cannot really say on a general basis that it's compliant. But I would be on the side that on the face of it, it looks like it will not be compliant if the data is going somewhere else or if it's saved somewhere else. Even an IP address is considered personal data under GDPR."

He also pointed out that Europe's Digital Services Act, its primary tool for platform regulation, explicitly targets only very large online platforms (VLOPs) above certain user and revenue thresholds. A smaller free software project wouldn't even be in scope. But broader OS-level laws are being discussed, and that's where things get murkier.

The liability question is equally unresolved. When a Techlorian asked who's legally responsible when the data inevitably leaks—the government, the platform, or the third-party verifier—Jithendra's answer was blunt: "It seems like it's distributed liability." In other words, nobody has cleanly accepted the responsibility that comes with demanding your identity.

The People Nobody's Thinking About: Young Developers

One of the most important questions of the whole interview came from a Techlorian: is age verification directly threatening software freedom and programming education for minors?

Jithendra: "Kids and children — minors — should not be banned from participating in democratic society and should not be banned from their own curiosity."

He brought up the FSFE's Youth Hacking for Freedom program, where teenagers participate in hacking competitions and build real projects. Blanket age restrictions don't just limit what kids can consume, they limit what they can create. The next generation of open source contributors, distro maintainers, and digital rights advocates are often teenagers tinkering around on the edges of technology.

Jithendra: "There will be impacts if there is a blanket ban. First of all, they are not really enforceable. Second of all, they are really detrimental to the very core of the right to tinker and right to repair — and just basic curiosity of a child or a teenager."

I don't think this angle gets nearly enough coverage in the age verification debate. Every conversation centers on protecting kids from the internet. Almost no one asks what we lose when we cut kids off from it.

Google Compared ID Checks to Airport Security. It Didn't Land Well.

One moment in the interview I didn't expect...Jithendra brought up how much of this is similar to Google rolling out government ID checks for developers, which hit F-Droid particularly hard and sparked the Keep Android Open campaign. Just like Google wants to keep people 'safer'—it's causing an immense amount of damage to the free software movement along the way. Google's public response to criticism? They said that developers should think of it like showing ID at an airport.

Jithendra: "They're even telling you which kind of analogy you should understand this issue in. It's quite bad."

I found this quite out of touch given the current US political climate around airports and immigration enforcement. It's a small moment, but it illustrates something bigger: tech companies are increasingly comfortable framing surveillance infrastructure as routine inconvenience. The normalization happens in the language before it happens in the law, and there are many parallels to age verification. We've been doing coverage for this problem and even signed an open letter asking Google to reverse its course:

How to explain this to someone who doesn't follow tech

This was my favorite part of the conversation. A Techlorian asked: how do you convince people who don't follow tech that this is a real threat—especially when both major parties in your country support it?

Jithendra's answer: use analogies.

Jithendra: "Would you ban your kids from going to a train station just because there is a chance to score some drugs? That takes away many things."

Blanket bans in the name of protection remove more than the thing you're protecting against. That's a frame almost anyone can understand.

My takeaways

I learned a lot myself from this interview and want to make sure our content going forward considers these things:

1. Read the law before reacting. The word "age verification" in a headline is not enough information. Self-declaration and biometric ID checks are not the same threat level, but still need to be covered. I'll be doing a better job going forward of still covering all of them, but explaining the nuance of what each technique entails, and prioritizing energy towards the more harmful ones.

2. Reactionary moves in the free software community can backfire. After hearing Jithendra's arguments, I believe banning users by region to "protect" software freedom is self-defeating. There are better ways to engage, including directly with lawmakers. We don't need to undermine the values of free software to fight back again policies we disagree with.

This conversation is a starting point, not a conclusion—I'm sure my views on this will evolve. The dialogue should keep going, and I'm grateful to Jithendra for helping sharpen how we think about it. If you have other guests you feel could add insight into our understanding of age verification, please send them my way so we can continue unpacking this!

If you want to go deeper, check out the Free Software Foundation Europe's work and get involved with the organizations pushing back on these laws in ways that actually protect everyone—including kids.

I highly recommend listening/watching the full discussion with Jithendra for yourself, it's a good one with many other important topics across the hour:

Episode Sources

• Free Software Foundation Europe: https://fsfe.org
• FSFE — Youth Hacking for Freedom: https://fsfe.org/activities/yh4f/
• Software Freedom Conservancy: https://sfconservancy.org
• Keep Android Open: https://keepandroidopen.org/

Written by

Share

Copied