Techlore Talks

Age verification laws are spreading fast, but most coverage is either panic or dismissal, with very little clarity on what these laws actually say, who they apply to, or what they mean for free software. In this episode of Techlore Talks, Henry sits down with Jithendra Palepu, who has a legal background and Free Software Foundation Europe volunteer, to actually make sense of it. Age verification, age estimation, age gating, and self-declaration—why the difference matters enormously. We examine what California's AB 1628 actually requires, we discuss why MidnightBSD's decision to ban California users may have backfired against the very principles it was trying to protect, and so much more. If you've had strong reactions to these laws but struggled to fully back them up, this one's for you.

🔗 SOURCES & LINKS
• Free Software Foundation Europe: https://fsfe.org
• FSFE — Youth Hacking for Freedom: https://fsfe.org/activities/yh4f/
• Software Freedom Conservancy: https://sfconservancy.org
• Keep Android Open: https://keepandroidopen.org/

⏱️ TIMESTAMPS

(00:00) - INTRO
(02:43) - DEFINING AGE VERIFICATION
(05:15) - THE REAL CONCERN
(09:59) - SELF-DECLARATION
(13:14) - SERVICE VS. OS AGE VERIFICATION
(19:34) - RESPONSIBILITY
(23:23) - MIDNIGHTBSD & SYSTEMD
(25:27) - LINUX CARVE-OUTS?
(27:54) - SHARED & SECONDHAND DEVICES?
(29:42) - APPLE + DMA
(32:59) - WHAT'S THE OVERALL NARRATIVE?
(37:57) - JITHENDRA'S & FSFE'S CONCERNS
(42:21) - DO ANY LAWS GET THIS RIGHT?
(44:33) - WHO IS DOING THE VERIFICATION?
(45:03) - DATA LEAK RESPONSIBILITY
(46:37) - OS-LEVEL AGE VERIFICATION IN EU
(48:04) - YOUNG DEVELOPERS
(49:14) - ENFORCEABILITY
(50:54) - ACTIONABLE ADVICE
(52:42) - HOW TO FACILITATE DISCUSSIONS
(54:37) - HOW TO FOLLOW

🎥 VIDEO
Watch on YouTube

🧡 SUPPORT TECHLORE
Keep Techlore Talks independent & growing: ★ Support this podcast ★

Creators and Guests

Host

Henry Fisher

Runner, artist, musician and digital rights activist. Owner of Techlore

Guest

Jithendra Palepu

FSFE

Editor

Tori

Techlore

What is Techlore Talks?

Techlore Talks brings you in-depth conversations with the experts at the forefront of privacy, security, and digital rights. Hosted by Henry Fisher, founder of Techlore and long-time digital rights educator, each episode features meaningful discussions with the people building, researching, and advocating for digital freedom.

From cybersecurity researchers and privacy tool developers to open-source advocates and digital rights activists—if they're shaping how we protect ourselves online, they're on this show.

Topics include: privacy tools and technologies, cybersecurity threats and defenses, open-source software, surveillance and digital rights, encryption, tech policy, and digital sovereignty.

New episodes released regularly. Subscribe and join the community at techlore.tech.

If at all there are age-related laws that require this kind of verification, we can safely say they are requiring users to...

Age verification laws are spreading fast, and most of the coverage focuses on social media and children's safety without talking about the bigger story underneath that almost nobody's discussing,

which is what do these laws mean for free software,

for Linux, for the open source ecosystem,

and for anybody who believes that tech

shouldn't require handing over your identity

to a government or corporation.

My guest today is Jithandra Pilepu

from the Free Software Foundation of Europe.

And he's been deep in this conversation

and is one of the leading experts in the world about it.

He's watching how these laws are being written,

what the terminology actually means

versus what people think it means,

and where the real threats to software freedom are hiding.

This one gets into the weeds in the best way,

And is definitely a controversial topic and we get into some juicy stories.

So let's get into it.

Okay, today I want to welcome on Jithandra, who's a volunteer from the Free Software Foundation.

Do you want to introduce yourself a little bit?

Yeah, sure.

Thanks, Henry, for having me on.

Really, really a pleasure to be here.

I follow Techlore for a while now.

So my name is Jithandra and I'm a lawyer by training.

and I volunteer with Free Software Foundation Europe

and I'm based in Germany currently.

Very nice.

I want to start this discussion

and I think you're one of the few people in the world

who is on the Free Software Foundation.

You are on the Free Software side of this fight

and you are a volunteer for the Free Software Foundation of Europe,

your colleagues with Lucas who we've had on the podcast.

You're one of the few people that I think can actually clear up something

that I, and I'm sure hundreds, thousands,

potentially millions of others

are not able to make sense of.

These laws are happening constantly.

We're seeing Apple roll out age verification features

in the UK, I think Singapore most recently as well.

We have the whole stuff going on in the Linux community

with System D merging the birthdate field.

California, Colorado, Brazil,

all these countries are proposing age verification.

But I want us to really unpack what this means

because what actually started this interview

was Lucas posted on Macedon

the Linux community was being a little bit intense about things and wasn't really understanding what

was going on. And Lucas is a volunteer for the Free Software Foundation of Europe. And so if he

says that something's maybe being taken a little too far, then maybe he has a point. And especially

because I like Lucas and I trust his views on things. So I just want to kind of set the narrative

before we get into this interview first and kind of the questions I have, as well as probably what

a lot of people are wondering. So can you just orient us a little bit here just to start this

off with what is actually happening in the world of age verification and what are kind of the real

flashpoints in your view before we dive into them? Yeah, for sure. Yeah. Thanks for that context

setting. Yeah. So in terms of what's really, what we really need to focus at the beginning is the

terms that we are using we have age verification for instance which literally means or in practice

also in in the past also meant that show me your papers or things like this like literal government

id checks and biometric checks and this this is what age verification by the wording itself means

and that's how it's been used in in different jurisdictions and there's there's one more called

age estimation and this this is uh basically based uh the algorithm will try to uh determine

uh the user's age and that's also used in many platforms currently and and we have uh age age

gating which means kids are not allowed to or below this age group are not allowed to use

uh anything and it's a outright uh ban sign and then we have self attestation which like from

from the beginning of internet, we just have the strict checkboxes and that's how the attestation

began. And yeah, so I think we need to clarify these terms. Otherwise we might end up blanketly

calling things that's not what they are. So we need to first set these things or like clarify

these first. And I think we need to look at it in this way because when we say age verification,

Yeah, it's very controversial and we need to be very careful in this terming.

For example, with the California law, it's not technically age verification by definition.

It's asking, in the context of the California bill, it's only asking for self-declaration.

So they're not verifying anything of that sort.

So I would not call that age verification per se.

at least that's as written in the text and based on previous practices around the jurisdictions.

So I think we need to really look at these things in terms of their terminology and what they're

actually trying to do to operating systems. Right. So just very quickly, where do you see

specifically the largest problem from the vantage point of view? And I know you don't formally

represent the Free Software Foundation of Europe. But what do you and your colleagues actually think

is the real concern right now that people should be watching between all these different technologies?

Yeah, I mean, the real concern would be that we need to, at least the free software community

should be, instead of ringing panic bells, we need to really take a step back and analyze this a bit

more and see that there's this whole fight right now going around the globe in Europe and also

elsewhere in the global south, we have this antitrust and competition law issues.

We are literally, like jurisdictions are literally trying to tackle tech dominance in mobile

ecosystems.

And we need to understand this in a broader way that way, so that when we have a very reactive

approach to these age-related laws, then we are seeing some examples where they've taken

drastic measures to ban certain regions from using the software, then free software will lose that

way. We might lose the battle because free software emerges as the alternative to the

tech dominance that we are currently seeing. And when we work on these issues, we say that

we already have alternatives to the tech dominant players in the form of free software. We already

have the alternatives. They are the alternatives and we don't really need a new form of alternatives.

The alternatives already exist, just that they're limited in many forms and through lobbying and

there's so many forms where free software is being restricted and we need to look at it in this way

so that free software should not be removed from a region and then the gatekeepers emerge as the

only alternative. And I think we need to really be careful that way. So I'm trying to read between

the lines and the point you're trying to make here. So is the point that you're trying to make that

the problem that you personally see here is that the big tech companies potentially can still be

the gatekeepers as part of these laws they're trying to pass globally, whereas you think that

free software bypasses this or free software should be the verification? I'm just, or are

these separate issues. Just trying to... Can you repeat again? I lost you there.

Yeah. So what's the point that you're really trying to make with that statement? Are you saying that

you don't think big tech companies should be the gatekeepers and it should be free software or it

should be even footing? How does this tie into the laws? I'm just trying to understand.

Got it. So what I mean is free software will not emerge as gatekeepers. I mean,

we have gatekeepers in the form of the big tech. We already know the obvious names and

free software already offers many alternatives to that. Just that we need to encourage and we need to

bring free software into limelight and support free software this way. So they emerge as the

alternative players that lets users control their technology rather than rent seeking and profiting

our personal data. So free software emerges that way as an alternative. And if we try to take

drastic measures to limit free software this way as a reactionary approach to age-related laws,

then this can backfire and it can lead to a loss for free software as an alternative

to the big tech. And there are ways to actually engage. And for instance, we can talk about the

Midnight BSD license change.

That basically changes the entire definition of free and open source software when the definition says that there should not be any discrimination on certain sections of society then in the use of the software.

And the license change that we saw recently was that users from California are not allowed to use the software.

Then these are the things that we should be really mindful of because these are core principles of free and open source software.

and we need to keep that in mind because there are other ways,

alternative ways to engage with and tackle with this new age-related regimes

that are coming up rather than just giving a reactionary approach

and moving so quickly, like rushing into things, basically,

because it's too early right now.

Yeah, and I want to ask a little bit more about the midnight BSD situation,

maybe in a second here.

Really quickly, you mentioned something earlier, which is self-declaration, which is what California requires.

We've all experienced this.

You access a website.

Oh, are you 18 or older?

You know, if you're even going to concerts or a comedy show.

So this is something that's been around for a long time.

I've seen some people, and how do you view this?

I know that it's easy to look at laws as they are right now.

But a lot of people say, well, yeah, it starts as self-declaration.

But then when they realize everybody lies on it, then the infrastructure is already there to then require the next thing.

So is that a concern you have?

Yeah, for sure. I mean, definitely we need to ensure that it doesn't go beyond that.

Like, I mean, it's there. Yes, there are enforcement issues.

And there are literally points that say that how do you enforce such kind of self-declaration?

Anybody can just lie. Then it just becomes moot.

What do you say to this when somebody says, then it's a lie?

And for me, yes, it's a lie, but there are governments right now coming up with these laws.

Let's assume that it's just a checkbox.

It's just a self-declaration checkbox.

Then it's not really a useful law per se then, but still it exists and it's a pain to implement this.

But is there a way around it?

I would rather implement a self-declaration than just banning a region of users to not use the software.

I'm again repeating only on the aspect of self-declaration.

So we should basically ensure that these things don't go beyond that.

We don't need age assurance technology.

We don't need some third party verifying somebody's IDs or something like this.

we've seen how badly they fail in practice.

And they enable all kinds of malpractices to be done

when you have a third party do verification.

And this is literally happening.

And we have so many precedents of this to use as an example.

Only on self-declaration, it's still, it's not the sky.

It's more like sky is falling down,

like for self-declaration at least, or self-attestation.

Like it's assuming an environment where a parent or legal guardian

is trying to set up the account for their kid.

The premise was that, and only on that premise,

it should still be fine,

but we should also make sure that we don't ban children

from participating in democratic society,

and we should not ban their curiosity.

Like, we should let them tinker with devices,

and this is how kids get into tinkering

and into the world of free software,

and that should definitely be encouraged,

And that's how Play Software will flourish.

And so we need to strike a balance there.

Yeah, and I actually asked our private signal group,

our tech laurens, for any questions they had before this interview.

And one of them is in regards to kids genuinely using technology

and having access to technology.

So I want to ask about that later in the interview as well.

Before we really dive into the system D stuff,

MidnightBSD, kind of the Linux side of things,

I wanted one final distinction to be made here.

I don't know if this is a distinction made in laws, terminology,

but it seems like there's two, as a regular person

who didn't even have the original terminology

that you outlined kind of in place yet,

the way I've been looking at it is service-based age verification,

like for NSFW websites online via the cloud,

and then also these local, well, they're not always local,

but it's supposed to be on your operating system,

like operating system-based age verification.

Is this distinguished in laws between those two things?

Do you guys have views between those two approaches or are they actually the same thing behind the scenes, just different implementations?

That's a really good question because I was going to mention this because right now what we're seeing is there's a shift from, as you said, the service-based angle to the root level or like I'm calling it root level to the operating system layer.

So the jurisdictions are trying to tackle this from the moment the user sets up the device.

So earlier it used to be the case that, yeah, you set up the device and you go on internet and you try to download an app or you try to access a service, then there's a verification.

But we have to also be mindful that there are various lobby forces on this front that are trying to shift burdens on each other.

And we have to be mindful of that.

And so the service providers and app providers or app store providers, social media platforms, they do not like to also conduct age verification.

They basically don't want to have the burden.

So there is huge lobby forces happening around the globe in different jurisdictions that they're trying to push.

And the other side is also trying to push.

And then there is a trial and error on that area.

So we see one implementation and then it gets backfired.

It gets pulled off and we see another implementation.

So there's a huge contracting and contracting forces for this aspect of service layer and operating system layer.

But yes, on to your question, is there a differentiation?

It varies region by region.

Every law is looking at it differently, at least for the California one.

There seems to be a very concrete differentiation.

They have what is an open source operating system provider, what is a covered application store.

They're giving these differentiations, but what we can already see that the shift is happening, that the age-related laws are coming onto the operating system layer.

So there's definitely a differentiation and there's definitely a change that's happening.

So the change, from my understanding, the change is pretty obvious that there is huge lobbying happening behind the scenes.

And what are your views and or the Free Software Foundation of Europe's views on if this is to be rolled out, is there a better approach between those two?

I wouldn't say like from from my understanding that there is we have seen recently there is there was a jury trial that convicted meta from social of social media practices that were too addictive.

And it's also proven that they are addictive.

But YouTube as well, right?

Yeah, yeah. And so aging of minors, like at what age somebody is called a minor is super subjective right now.

We cannot just have a blanket universal definition of who a minor is and who a major is right now.

And it depends on each aspect that we're talking about.

And for driving, 18 is the usual age.

Can we directly correlate or like use the same to social media usage?

I don't think so.

Yeah, drinking, for example.

Europe and U.S. is completely different.

Yeah, and in the U.S., we still see people buying booze in paper bags, right?

And I don't know why.

So what was the logic behind?

I'm still not sure.

So that means it's not allowed to drink in public,

but it's okay if you use a paper bag to consume alcohol.

So there was a way around that.

I mean, sure, Australia tried to ban social media for minors,

and it backfired completely.

We literally saw they're openly saying we bypass this using VPNs.

These days, VPNs are used to geoblock content.

You want to access some content somewhere that's restricted.

You use VPN to access that content.

So there are so many ways, but yeah, miners can bypass this.

But we should find a balance, as I said before, that children or miners should not be banned from their curiosity.

because at least from my view and from FSFE, FSFE is a nonprofit that lets users control their own

technology. And that also includes tinkering and tinkering is the core of it. And so that way,

children's curiosity, there should not be much limits on that. So we should strike a balance

there. But at the same time, as I said, these are very addictive areas. And so there are methods

For example, the California law is somewhat designed that way.

But as I said, we need to ensure that it doesn't go beyond that.

It should never go beyond that.

That way, it's playing between self-declaration and self-attestation, but not age verification.

They're not asking for government IDs or anything of that sort.

I mean, yes, if somebody says, yeah, what if this is a self-declaration today?

What is going to happen tomorrow?

Then we will wait and see.

We don't have to be super scared and we don't have to ring all panic bells to say that, yes, the sky is falling down.

We are going to go down.

We are doomed.

I don't see that kind of reactionary approaches.

I see them as very threatening and very risky approaches.

I would say we need to take a step back and analyze this.

California bill already has some exemptions and exemptions is another area that I can,

we can discuss a bit further when doing the interview. Yeah. Yeah. If I could just inject,

I think, I think it's, it's unfair to children because if a kid is on TikTok all day,

instead of paying attention in class, whose fault is that? Is that the school's fault? No. Is it

The kids' fault? No, it's TikTok's fault.

And who's the only person who's not dealing with any real consequences?

It's TikTok.

Like, the schools are dealing with kids who aren't focused.

The kids are completely distracted.

And who's being punished?

The kids.

The kids are the ones who are now banned from accessing different platforms.

And in the process, you know, we have to age verify everybody.

You know, it's very frustrating, I think.

And it's really sad to see that these politicians who say they want the best for kids, and maybe they do, are taking this approach.

Instead of holding the companies accountable that we just found out in trials are now guilty of making their platforms addictive towards children.

So that's my personal, I don't know.

Yeah, I know.

So not every problem can be solved with technology, right?

So it's a social issue and we are trying to, at least with age assurance technology,

and there is this whole area of privacy enhancing tech that is trying to creep into this age-related debate.

Not every problem like this can be solved with technology, but technology is also used to solve some problems.

So it's not the other way around.

So we should also be mindful of that.

And we can also use Lawrence Lessig's example of code and other laws of cyberspace where in his book we have norms and code.

And here, when we use this example for the age laws right now, the laws are trying to control behavior using code.

They're trying to bring in an outcome where code will control the behavior.

But can you really, in code, it's very solid.

It's very hard.

Like it's either this or that.

There is no in between.

But law is very interpretive.

It's very subjective.

And especially age-related issues are very, very subjective, as I explained before.

So when you try to hard code something and require developers to code this into their code base, into their software, then it's either this or that.

And there's no middle ground for that.

it's going to be really hard. So it might not even work, as we've seen in terms of age assurance

technology and age estimation, as I explained before, where the algorithm tries to estimate

your age and people just say, yeah, OK, I would like to verify myself. I'll turn on my camera.

I will scan myself and let the algorithm do its magic. And what would you say to that? I mean,

And in terms of that worst case scenario, and you look at California bill, then there's definitely a difference, a lot of difference, huge difference.

And we should look at it that way.

And it's not really the end.

They're not asking for DRM technology or like Secure Boot or something like that that restricts users to install their whatever software they want on their device.

They're not doing that.

At least the law is not trying to do that.

So there's no restriction on copy left related free software.

And so that way, software freedom is still intact.

Yeah.

Great. Yeah, really well said.

So thanks for expanding on that,

because I think you added a really good language

around what I've been feeling,

quite frustration I've been feeling.

Yeah.

Regarding the controversy now,

on the Linux side of things again,

you brought up MidnightBSD.

Can you touch again a little bit on the systemd situation?

How Linux is trying to comply with this?

Maybe the polarization in the community?

And what would be your proposed solution?

What is your best case scenario if you were to help guide things in the best direction?

I mean, I'll try my best, but I might not have a solution.

Yeah, I know it's complicated.

It's a really polarized matter, as you said.

Yeah, even now, we are playing on the borderlines of controversy.

But it's good.

So it's good to discuss this issue because, as you said, we're seeing so many things flying around.

In terms of System D, I mean, they implemented this DOB.

But, I mean, when we talk about, for example, the law and the California bill assumes that for everything, you need to make an account.

There is no account making feature on GNU Linux or something.

There is, but just that it's done very differently to what Microsoft or Apple does in their operating system.

So on GNU Linux, we can create an account and it can get saved locally, right?

And it's also an optional thing.

But when it comes to how Systemd is implementing, I mean, Systemd is the core of it.

So they are trying to implement at least one signal that can deal with this.

So we have to understand that it's data minimization that the law is trying to respect in a way where they're playing at the edge on the borders.

If data minimization, like collect as less data as possible, if that is respected, then I think it's still that way.

It's OK.

But I don't seem to have any proposed solutions for this at the moment.

I'm still grappling my mind around this.

Yeah.

Cool.

I appreciate the honesty.

A couple of questions from our techlorians.

Someone asked, since Linux runs on everything, routers, medical devices, industrial systems,

have lawmakers even considered how to define which devices need to age gate their users?

Are there carve outs for non-consumers or non-interactive devices?

I assume IoT devices, and I guess by extension, free software.

along the way. You mean carve-outs for medical devices? And what do they mean by non-consumers?

Yeah, I think just like companies, like, you know, if a company buys tons of devices,

you can't, like, how does a company age-verify itself? So does the law kind of think about

these edge cases where it's probably not necessary? In terms of, I mean, from what I understood from

the text, it feels like it's more oriented towards Microsoft and Apple and gatekeepers.

My understanding, I'm not a lawyer in the U.S. I don't practice law in the U.S., but at least

the California bill seems like it applies to the gatekeepers per se. We call them gatekeepers in

Europe. But in terms of carve-outs for medical devices, I'm not really sure how that's going to

As long as the age verification, as I said, like if we have data minimization at the core in implementation, collect as less data as possible.

And there is no third party.

There is no third party verifying or there is no third party technology that is trying to verify the user.

From my view, I'm trying to understand where is the window for malpractice here is the question.

like let's play a bit of a devil's advocate here and see where can the malpractice happen or where

is the window of opportunity to even have malpractice if there is no third party tech,

there is no third party involved at all in terms of verifying. Verifying, I'm quoting again because

this is not verifying. This is just declaration and self-attestation. Again, on the premise that

the legal guardian sets it up for their kid.

I know it's a very narrow premise

for such a huge generic issue,

but yeah, in terms of its effectiveness,

I also highly doubt how this can be enforced.

But in terms of its negative impacts on free software,

at least the California bill

seemed to have like zero to none negative effects.

Got it.

Another question, shared devices, secondhand hardware.

Is this something that's been included or thought about in the laws?

Second.

Okay, okay.

Yeah, that's actually a good question.

I mean, there was a date, a timeframe, right?

Like before 2000, 2026.

How do you implement such things when the device is already in use for quite a long time?

But I don't see if it's a fresh account that is being fresh set up that is being conducted on the device.

then maybe the interface will creep into the setup is what I'm trying to understand if in terms of

its real life implementation. So the device changed hands, let's assume, and there is a new setup that

is being done. If it's the old setup, then of course it will not have it for sure. The user

will just continue on to their existing operating system, whatever they have. But if it's a fresh

one they want to reboot again and put a new free software in there and then the interface the age

range pop-up might come out i'm not not sure how that can i mean there are so many uh issues in in

terms of this it's also very too early to even tell because how do you geolocate this like how

how can this be very location specific for example how can debian implement this in california and

how can they differentiate that in Colorado or how can they do this in in Europe and wherever it is

like so they it's it's very very they're like so many sub issues in there in terms of its

enforcement even I cannot really tell how it can be implemented in reality yeah yeah I'm I'm

reminded of how Apple chose to comply with the DMA in Europe where they have these craze like

it's tied, I think your credit, like the actual region of your Apple account is a part of it,

as well as whether or not you're in the region. I think you have like a certain amount of

days or hours that you're allowed to be in the, like it is, you can probably speak to it better

than me, but they truly engineered a problem for it or engineered a solution for this problem.

Yeah, it's just, it's just bogus. It's completely like madness. We actually tested, actually,

That's a good follow-up you had.

We actually tested with a device, with an iPhone from India, I think.

And then we were in Europe and we tried it and nothing worked.

I mean, of course.

So let's take a device from Europe and we have to go somewhere else and try, I guess.

But I mean, we didn't really do that, but we just tried.

But yes, there was a point where an alternative app store was kind of successful in being installed, but there were so many errors in between.

And it was it was insane.

Like I actually screen recorded it and kept it for myself.

So it didn't really work.

So there's it's just I mean, call it whatever you want, malicious compliance or whatever it is.

I mean, I would just call them non-compliant.

Yeah, I guess context for anyone who hasn't followed in Europe, they have the DMA, they have, you know, potentially they're supposed to allow, Apple's supposed to have third party app stores and all this stuff that's EU specific.

When the DMA passed, I guess I was very optimistic and naive.

And I thought that Apple would have to open up globally.

I didn't think they would actually find a way to only pretty much manage almost this like lightweight second version of iOS for one region.

But they chose to do that route.

So, yeah, yeah.

But we still hope that there is hope in DMA.

And yes, it's a really tough battle, but I think they can at least.

So, for example, recently I've seen that the UK is trying to also deal with tech dominance with their DMCCA law that they started recently introduced, I think last year.

And they're trying to figure out how they're going to deal with this.

And they are also learning from the experiences of the DMA in the EU.

So, I mean, though they're very close and we have Brexit and they have their own law right now,

and they're taking a lot of input from the learnings and experiences that the EU Commission had in terms of dealing with Apple's dominance and Google's dominance.

And they are learning from this.

And of course, they might not use it fully or something, but at least there's some exchange of knowledge in terms of enforcing this.

And I think that's really good.

Yeah.

I wanted to quickly ask about the UK later as well,

because they seem to have, in my view,

some of the most extreme laws right now when it comes to,

like they want to age verify VPNs.

And as far as I've been able to tell,

it seems pretty quite, it's quite invasive.

But again, that's why I want your opinions on it.

But before we get there,

I want to zoom out a little bit

and just ask kind of the why behind all of this.

have you guys seen kind of an overall narrative of if age verification works?

Because, I mean, for chat control, we see Patrick Breyer come out and say,

like, hey, we have some evidence here that shows this stuff doesn't even actually really work.

So is this theater, do we have real evidence that this is there to protect children?

How is this different from, I think, Japan does age verification when you purchase the device.

So if you're buying a phone in cash, you show your ID and you just get the phone.

There's nothing digital at all about that.

Yeah, I think don't don't cite me on that. That's something that I think I read. So I'm kind of just asking like why this is happening and if this stuff has even shown to work and why it's being promoted so heavily.

I mean, as I said, there's a lot of business tactics going around and there's a lot of lobbying going around on these issues because there's a huge attempt to shift burden of compliance to one another, one player to another player.

And that results in compliance burdens shifting to downstream or upstream.

It's pretty obvious that way.

So why this is happening?

I mean, yeah, there's so much going on on social media, as we discussed before, with this social media addiction that is scientifically proven that it's addiction.

And lawmakers, of course, want to point fingers at somebody.

And there's a lot of things happening.

And it's not like lawmakers are technologically handicapped or something like this.

They are at least informed well or not, I'm not sure, but they have enough technical input to look at these things.

But when you have such dominance, this is also a classic example of how we have super monopolies in mobile ecosystems right now and how this plays out.

In the global south, they have immense power in terms of shaping policy for digital competition and shifting burden, as I mentioned.

So when you have that kind of power, that kind of corporate power, then of course there can be a chance to shift burdens and maneuver your way around things.

But we have quite vocal civil societies that are working on this aspect.

And I think, for example, Free Software Foundation Europe has been trying to voice this.

And there are other really good civil societies that are trying to voice this and fight this.

And we have research institutions that are trying to work on this.

And we really have problem with super monopolies or gatekeepers or whatever term that we want to use, because in every aspect they have a say.

And in every aspect we have we are right now we're talking about age related issues.

But as you see, we immediately shifted and we were also talking about Apple's dominance and app stores and their proprietary models and how they're restricting user software freedom.

And so we just immediately switched without us knowing, but we were talking already.

So there is an octopus with a lot of tentacles and we need to try to tackle them with different inputs.

And we need as much diverse opinions and inputs as possible on this to tackle such super monopolies.

For example, with copyright, free software kind of resolved it with licenses, with the problem of copyright.

And there are ways and we need to figure this out instead of having a very, very reactionary approach, at least from what I've seen so far.

So we should look at it from a bigger and broader perspective, zoom out a little bit and try to see why this is happening.

I mean, from your question, why this is happening and then figure out the value of what free software is providing to users around the world.

So if we know the value of that, then I think we need to really protect that.

Yeah, well said.

And shameless plug, but highly relevant.

If any of what Jathendra just said resonates with anybody,

and they want to learn more, I interviewed Lucas,

who is also from the Free Software Foundation of Europe.

And I feel like that interview dove pretty much into everything that you just covered

in terms of gatekeepers, what the DMA is trying to do, the big tech companies, etc.

So if you guys want to check that out, I'm going to leave that in the card or also in the description.

One other kind of more meta question about this stuff as a whole.

When I first, and you can even go back and watch, I think it was the interview I did with the Dutch journalist.

It was a very weird interview in the sense of like, we didn't know what we were going to talk about going into it.

But we ended up talking about age verification in that interview very briefly.

And that was recorded almost a year ago at this point.

And my views then, this was before we started seeing what this would look like.

I saw it only from a privacy angle.

And I was like, well, if they can do it in a privacy-respecting way, I don't see the problem.

My views on this have developed over time, and I see other problems outside of just the privacy angle.

So I'd like to just ask you and what your views are, as well as maybe the Free Software Foundation of Europe's views.

What are the actual concerns here?

I'm sure privacy is a layer of it, but is it surveillance infrastructure?

Is it democratic risk?

Is it just the gatekeeper risk that you're talking about?

All of the above.

If you can quickly just speak on what your concerns actually are with this.

I mean, shortly, all of the above, for sure.

But in terms of verification, we have this whole techno-solutionism argument coming in

where we try to solve this issue, at least age-related issue, with a privacy tech of some sort.

Maybe zero-knowledge proofs or something like this.

I mean, if, again, that deals with a, if it deals with a third party and there's some sort of third party involved in this, then there's a risk.

Then it's definitely a risk.

And as I said, we cannot really solve every problem with a tech gimmick or something.

And so we need to understand it that way.

Yes, of course, if there is age verification being done using age assurance technologies

and requiring government IDs, then definitely it's a privacy issue for sure.

I don't even have to peel the banana even more to say that there's a privacy issue in this.

We have in Europe, there is GDPR that is quite extensive on privacy and data protection that way.

So many, many issues have been determined as violating GDPR and age verification using technology.

And we need to see, I mean, we cannot really say there is definitely an issue, but we cannot really say, yes, this is a violation.

But there is definitely, it is prone to violate many things.

If you have age verification, I mean, please don't take it in one go.

There are, as I mentioned beginning, there are many terms in this.

So verifying means requiring papers, government IDs.

Like Google, for example, recently rolled out government ID checks for developers.

I mean, that's really, that's quite bad.

And it affects FDroid really badly.

And FDroid has been quite vocal about it.

And there's this whole campaign, like with Keep Android Open.

And there was some sort of, yeah, and Google looked into the issue.

And now there is some sort of changes in their policy and they're trying to work it out.

But still, they gave this 10-step process for power users.

They have to shut off their device, wait for 24 hours.

It's just insane.

And so there are things like this.

But that is like developer community as a whole.

They objected to this that they don't want to show.

And Google, I think if I remember correctly, they said, yeah, just think about it as an airport check when you try to take a flight.

really good association with that too so yeah that's a great yeah they literally wrote this

on their blog i think and can you imagine like they're asking they're even telling you how to

how to analyze this thing like how they're even telling you which kind of analogy you should

understand this issue in it's quite bad timing too because i know in the u.s we have our own

issues right now with our security in airports and our current administration wants to use

immigration enforcement as security officers.

So there's this whole debate of like, should we be doing that in the U.S.?

Is that a good idea?

And so I think for Google to say that being an American company is also quite ironic

because it's like, well, it's kind of not a good analogy, actually.

So requiring ID that way is, I understand age verification as requiring government check.

So that way, for me, it would be a privacy violation for sure.

And I don't need to, if at all there are age-related laws that require this kind of verification, then we can safely say that they are requiring users to have an ID to even use a computer.

If at all there are laws about age verification, literal verification, then we can safely say that they're requiring ID to use even a computer.

That's as extreme as it can get.

I wanted to ask, is there any law or framework right now that exists in the world that you think either got this right or closest to right? Like what laws, you seem to be speaking about California's approach as slightly better, but that's just my read on what you've said so far in this interview.

Yeah, I'm using that as an example because that's if we have because I gave the terminologies and explained what they are, then that way California law does not even fit any of the bill.

It just fits the bill that says self-attestation and self-declaration, the least zero to none tech involved at all.

So the Japanese example you gave, the physical device, I mean, I'm not quoting you.

don't quote me but yeah so it it kind of feels that way but yeah as i said we need to ensure

that it doesn't go beyond that and there there are no malpractices done using this or i mean we need

to control it until there i mean it should not go beyond that as it stands right now the california

bill has very very less negative impacts on free software and software freedom that's what i focus

on and I also focus on the competition issues. So that's where this broader angle that we need to

to respect the value that free software provides and that way we need we should not let it evaporate

because it's a viable alternative to big tech dominance. Yeah I did just do a quick check it

seems like I didn't just make it up but it seems like there's a lot of nuance to it so I think I

simplified this quite a lot because there's different ways to fit. So like everything,

I think we have to simplify a bit. Yeah, you asked which, is there anybody who got it right?

I'm not really sure if somebody, if some jurisdiction got this right. At least if you

mean age verification requiring government IDs to use online content, I'm not really sure who got

this right. I don't see any right approach or not that I'm aware of. Yeah. Okay. I have a list of

questions from our TechLorians. Someone asked, who are the companies stepping up to run this

verification? Do they have a good track record? Do they have government ties? Are you seeing any

major players in this space that are behind some of the pushes for this?

I'm not sure. As I said, there are actors from social media platforms and there are actors from

app stores and there's so many players. I'm not sure whose names that I can pick.

I am sure that there are many involved in pushing this. I mean, it's very obvious.

Right. Someone asked, and it's a really good question, when the data leaks, if there is a data breach, who's legally responsible? Is it the government? Is it the platform? Is it the third party verifier? What are the fines? Yeah.

Yeah, that's again, that's the thing. Like, of course, then that way, there is a burden on the government also when you have such kind of frameworks that you want to implement, then the governments should also ensure that there are no there's no window of malpractices or there's no window of any failure.

Of course, you cannot say that something is perfectly secure.

You really cannot say that.

And for anything, pre-software that way is better because at least you know what's in

there and you can see it, you can verify it, you can audit it.

So, but we cannot say something is perfectly secure.

And, but the, who has the burden and who has the onus, who has the liability?

It seems like it's a distributed liability.

Like government also has some sort of burden that if you have such kind of verification frameworks or something like this, then you should also ensure that these things are done in a very error-free manner.

But if it's on the platform or the provider, then yes, of course, the provider is most likely be liable for this.

If they are doing this via a third party, then yeah, it's, I mean, if you, if you look at a

proprietary model, then that itself is a single point of failure. One thing fails and it falls

like a pack of cards. So yeah. Somebody asked, and you did touch on this already. So if you have

anything more to expand on, someone asked, it was a very good question, would OS level age

verification even be legal in the EU under GDPR? It needs more assessment, but I would say right

now there is none, but there are discussions in EU as well about bringing such laws. We currently,

I think Europe currently has Digital Services Act. It explicitly targets very large online platforms,

VLOPs, which have a certain number of users, certain number of turnover per annum,

which means it's only really focusing on the big, big players.

So it doesn't concern a smaller free software project or something.

But per se, there is no operating system age law in Europe currently,

but it is being discussed is what I read and seeing.

But in terms of if it's GDPR compliant or not,

we need to assess it on a case-by-case basis.

I cannot really say on a general basis that it's compliant,

But I would be on the side that it's on the face of it.

It looks like it will not be compliant if the data is going somewhere else or if it's saved somewhere else.

Even an IP address is considered as personal data under GDPR.

We also touched on this, but I don't know if you wanted to expand at all.

But someone asked specifically about teenage distro maintainers or young developers, people who might be considered minors.

Is age verification directly threatening software freedom and programming education for minors?

Sure. Yeah. As I said, kids and children or minors should not be banned from participating in democratic society and should not be banned from their own curiosity.

For example, Free Software Foundation Europe has a program.

It's called Youth Hacking for Freedom, where we see teenagers also participating.

It's a hacking competition and we see so many teenagers tinkering around.

And it's really fun to see how many, like the cool projects they're trying to build.

And yeah, for sure, there will be impacts if there is a blanket ban, like how we saw in Australia.

First of all, they are not really enforceable.

Second of all, they are really detrimental to the very core of the right to tinker and right to repair.

and just basic curiosity of a child or a teenager.

Yeah, you can be pretty brief here,

but you just mentioned enforceability

and I feel like some countries aren't convinced.

We brought up the UK earlier.

The UK has already started implementing some age verification.

So then everybody moves to VPNs

and then they're like, well, we're going to age verify the VPNs.

And then it's like, well, then do people use Tor?

And they say, oh, we're going to age verify Tor.

So can you walk me through enforceability

and why maybe that's not very enforceable?

And why are these countries convinced it is?

I mean, in the UK one, I'm not sure if it's enforceable.

I'm just, I'm trying to wrap my head around it.

How can a blanket ban, for example, on social media be enforceable?

I mean, it's not going to be so, it's, I don't know.

We've already seen that it's a fail.

And in terms of age verification of VPN,

And again, it's, as I mentioned, it's really a problem if you have a verification for using

something with government ID checks and this kind of stuff.

When you have a law, we have some kind of technological solution that is being developed

to counter that law.

It's a tug of war that's being done everywhere.

And you see there's a law and there is a tech solution or something that is being developed

to bypass that law.

And we see this happening everywhere.

But I'm not sure how the UK edge verification will.

There are so many privacy concerns around it,

and I hope that there is some workable solution around it.

Right now, I don't see how this can be enforced per se.

The final TechLorean question here is,

how do you convince people who don't follow tech that this is a real threat?

And what do you do when both major parties in your country support it?

So I think they're looking for actionable advice that they can share with themselves, their family, to try to be a good part of the movement.

I mean, use as much nice analogies as possible.

I'm coming from the law area and I like analogies and courts also like analogies.

And it makes things simpler.

But yeah, everybody has their own preference.

But it's easier.

Like, I mean, you have, let's look at a train station and where you can score drugs.

Would you ban your kids from going to train station just because there is a chance to score some drugs?

I mean, that's it takes away many things in that example.

So there are ways to explain this to non-tech users how bad this is in terms of like try to simplify the issue, like use use real world analogies.

And also I think you should start from explaining why free software is a better alternative.

If you can manage to explain that to a non-tech user, then you're good.

You can easily explain why age verification per se is bad.

And kind of as an extension of this, my final question to you, you are taking both approaches.

You are acknowledging that this is something that we need to watch carefully.

It might be bad.

It might be very bad.

But we also need to actually not be reactive about it.

And I feel like that you just summed up the two camps right there.

Because there's people who are like, this isn't a big deal.

We don't need to do anything about it.

And there's people who are like, this is a big deal, so I need to react.

And you're taking both positions in a way.

So my question to you is, how can we better facilitate discussions as we try to navigate

this, ideally, as millions of people who don't think age verification is good in the way that

it's being proposed?

So how can we all who are listening to this better engage in this discussion so that we

can have the best result and the best outcome. Okay. So what I tried to do in this whole talk

was that I'm trying to give all the perspectives. I'm trying to summarize because it's really

important to clarify things because there's so many things flying around and so many

misrepresentations that way. And how do we tackle this? I mean, by reactionary, I mean,

panic reactionary. Of course, we have to react. And we react in a way that, as I said,

free software community is being recognized and we also need a place where the lawmakers see that

there are alternatives in the form of free software. And we need to engage with lawmakers

and states to better inform them. For example, we can provide more better inputs from the free

software community perspective, which can shape policies in a better way. So I think that way,

the dialogue should keep going.

Okay.

Well, I really want to thank you

for being on this podcast.

I went into this interview

a little more nervous than normal

because, again, this is a,

it's a bit charged, but also...

Yeah, of course.

No one's, I haven't actually read an article.

I haven't seen a video.

I haven't been able to do my own analysis

of the situation

to actually make sense of what's going on.

So when I walked into this interview,

this felt very new.

and very like, there's a lot on the line

and I want to make sure I get this right.

So I just really want to thank you

for explaining this very nicely.

I think it's going to be a great starting point

for people to kind of make sense

of the current landscape.

And where can people follow your work

and also the Free Software Foundation

of Europe's work on this and anything else?

And also, where would you send people

to kind of just get them involved in this

if they want to get involved?

Talk to your local communities,

wherever Free Software, I mean, it's everywhere.

So, I mean, we are Free Software Foundation Europe and here, I think you can follow our

work there.

And currently it's, I am mostly dealing with dominance and competition issues and how that

impacts free software in general.

And that involves many things.

And it also involves the things that we have discussed today.

And yeah, I think if you can start engaging locally and try to see how things are and

They can be, I don't know where you're trying to,

but I mean, like, where do I send people?

I'm not really sure where I can send them,

but there are really good organizations.

There's also Software Freedom Conservancy in the US

that's also doing really good work.

And I think Bradley Kuhn and Karen Sandler,

they're also working very hard on these aspects

and yeah, shout out to them as well.

Awesome.

Well, thank you so much for your time today.

I know that you're working on a lot of stuff back there.

So I really appreciate you.

Thank you.

Thank you for having me.

And I hope I was useful.

And yeah, it was really great discussing this.

And yeah, thanks a lot for having me.

Yeah, it was a pleasure.

Of course.

Thanks, Jatantra.

Thank you.

Thank you, Henry.

And there is the interview.

I really want to thank him so much for coming on.

He's actually trying to help us think more clearly because these laws are moving very

fast and they're written in languages that are easy to misread.

and the knee-jerk reactions from our own community and myself

can sometimes not be the most productive.

And so I really wanted to bring him on

and actually understand what's going on

from somebody who's able to follow this a little bit better.

We learned today that the terminology matters,

that distinction between age verification,

age estimation, and self-declaration matters,

and who ends up holding the compliance burden

and the data also matters.

If this conversation sparked something for you,

I'd encourage you to look into

the Free Software Foundation of Europe's work

and make sure to get involved with the organizations

pushing back on these laws in ways that protect everyone, including kids. Links are all in the

description. I want to thank Jethandra for coming on and thank you all for watching Techlore Talks.

I learned a lot from this one and it has really helped clear things up for me and kind of helped

me evolve where I can actually kind of see where things are headed in the future. It's really hard

to make content about these topics. So I want to thank you all for listening and for taking your

digital safety seriously and keeping yourself and the people around you a little bit safer.

Thank you all for watching and I'll see you next time on Techlor Talks.

If you like this podcast, you can support it down below by becoming a Techlorian.

See you next time.

*outro music*

More episodes

Chapters

Creators and Guests

What is Techlore Talks?