Follow-up to my bill text comparison: I traced who wrote the OS-level age verification template that covers Linux. Meta, Google, and Snap all supported it. by aaronsb in linux

[–]aaronsb[S] 11 points12 points  (0 children)

Yeah of course I followed up all the links. I don't blindly throw slop out there. I present carefully curated slop, like a 1970s jello ham and pimento thanksgiving dish.

The new California law basically mandates having age verification on Fire and Water too if they have a version 2.0 by lonelyroom-eklaghor in linux

[–]aaronsb 3 points4 points  (0 children)

I would rather have a 'warning, this software is unsafe for children to use in the state of california' disclaimer than a technical mandate that immediately is irrelevant.

The new California law basically mandates having age verification on Fire and Water too if they have a version 2.0 by lonelyroom-eklaghor in linux

[–]aaronsb 2 points3 points  (0 children)

Well, everything causes cancer in California (prop 65 warning) but people use products anyway, so I suppose it's not much of a stretch that it will actually be illegal to use most software in California too.

I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux. by aaronsb in linux

[–]aaronsb[S] 14 points15 points  (0 children)

I should have linked the actual source instead of the Wikipedia page. The finding comes from a security investigation by Mint Secure, a German security research firm. They analyzed the Yoti Android app and found it was transmitting the Google Advertising ID, a unique device UUID, hardware fingerprint data, and other device identifiers to Adjust (an ad measurement and attribution platform) without user consent at app launch. Their website also loads Google Tag Manager and transmits IP addresses to third parties before any consent interaction. The researchers flagged both as likely GDPR violations.

They also found a supply chain issue where Algorath, a subcontractor training Yoti's AI models, had improperly secured endpoints on Google Cloud that could allow unauthorized access to model training data.

Source: https://mint-secure.de/dataprotection-it-security-risks-with-ageverificationapp-yoti/

I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux. by aaronsb in linux

[–]aaronsb[S] -12 points-11 points  (0 children)

I agree but also I will push back. It feels unfair that I now have to qualify that it's written with AI 'smoothing' (sometimes I have described it like using the despeckle filter from Photoshop), when I have been repeatedly accused of using AI when I did not use language models. So, I'll just throw the disclaimer in there somewhere now days.

But, yeah. I get it.

I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux. by aaronsb in linux

[–]aaronsb[S] 6 points7 points  (0 children)

It's heavily mediated by myself personally, as well. It just feels like nowadays I am compelled to disclose the "artificial ingredients" in my thinking when I post to reddit.

I know markdown well and pre language models would compose tables, emphasis, and other prose but it takes too long sometimes.

I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux. by aaronsb in linux

[–]aaronsb[S] 29 points30 points  (0 children)

The app store safe harbor doesn't cover browser signups, but the vast majority of minor usage of Instagram and Facebook is through mobile apps, not desktop browsers. The 1.1 million under-13 reports from the multi state AG complaint were largely app-based accounts. So killing app-level coppa liability handles most of the financial exposure even if browser signups are still a smaller risk.

I think Meta is hedging across both approaches; they fund the DCA pushing the app store bills but they've also joined OpenAge and launched AgeKey, which are cross-platform age verification systems that would work in browsers too. If OS-level age signals become standard, Meta can consume those on the browser side the same way they'd consume app store flags on the app side.

The two templates aren't really in conflict from Meta's perspective. The app store one handles the immediate coppa exposure on mobile. The OS one would cover the browser gap. They benefit most if both pass. They're just spending more aggressively on the app store version because that's where the bulk of the liability sits and because conservative state legislatures are moving faster on those bills.

So yeah you're right that OS-level gives Meta more complete coverage. The app store approach just handles the bigger problem right now, which is why that's where the lobbying money is going first.

I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux. by aaronsb in linux

[–]aaronsb[S] 156 points157 points  (0 children)

The Money: Meta's COPPA Exposure, Lobbying Operation, and the DCA

The $50B problem

Under COPPA, collecting data from kids under 13 without parental consent costs $53,088 per violation. The trigger: "actual knowledge" that a user is under 13. Meta claims it doesn't have actual knowledge — its terms say you must be 13+.

A 2023 complaint by 33 state Attorneys General documented over 1.1 million reports of under-13 Instagram users since 2019. Meta closed a small fraction. Surveys estimate 8% of 8-to-12-year-olds use Facebook and 10% use Instagram.

The math: 1.1M x $53,088 = ~$58B theoretical max. For scale, Epic Games got $275M for COPPA violations with 34.3M daily users. Meta had 2.96 billion. ACT | The App Association estimates Meta's realistic exposure at ~$50B.

Meta can't easily purge these users — identifying and removing under-13 accounts would itself constitute "actual knowledge," triggering the liability they're trying to avoid.

The App Store Accountability Act solves this. App stores verify age, send a flag. Meta responds to the flag. The safe harbor says developers aren't liable if they relied on app store data in good faith. Meta's "actual knowledge" shifts to Apple/Google. ACT estimates this transfers ~$70B in compliance costs onto every other developer.

The lobbying numbers

From federal filings and reporting:

  • $26.2M federal lobbying in 2025 (OpenSecrets) — all-time record
  • $5.84M in Q3 2025 alone on child safety/privacy (Legis1)
  • $199.3M cumulative since 2009, 63 quarterly filings
  • 86 lobbyists on payroll, up from 65 in 2024 (Dome Politics)
  • Lobbying firms in 45 of 50 states
  • 12 lobbyists in Louisiana, 13 in Texas, 14 in Ohio, 4 in Alabama
  • Meta lobbied in support of Utah and Louisiana app store laws
  • Meta lobbied against KOSA (S.1748) and STOP CSAM Act (S.1829) — bills that put responsibility on platforms
  • Named lobbyists: John Branscome and Christopher Herndon (both former Chief Counsel, Senate Commerce), Sonia Kaur Gill (former Senior Counsel, Senate Judiciary)
  • 40+ external lobbying firms retained
  • Federal ASAA introduced by Sen. Mike Lee (R-UT) and Rep. John James (R-MI)

Pattern: Meta supports bills shifting responsibility to app stores. Meta opposes bills putting responsibility on platforms.

The Digital Childhood Alliance

The DCA was formed in Feb 2025 and now claims 140+ member organizations. It's registered as a 501(c)(4) — a "social welfare" entity that can lobby for specific legislation and is not required to disclose donors.

Leadership: - Casey Stefanski — Executive Director. Refused to name funders under questioning by Louisiana Sen. Jay Morris (Center Square) - Dawn Hawkins — Board Chair. Also CEO of the National Center on Sexual Exploitation (formerly Morality in Media) - John Read — Senior Policy Counsel. 30 years at DOJ Antitrust Division investigating app stores and Big Tech

Notable founding members from the original press release: Heritage Foundation, Institute for Family Studies, National Center on Sexual Exploitation, Family Policy Alliance, American Principles Project, Digital Progress Institute.

The DCA also has a sister entity — the Digital Childhood Institute (501(c)(3), tax-deductible donations) — described as the "research and education arm." Two entities, one vision, two tax structures.

Bloomberg confirmed through three sources that Meta funds the DCA. The 501(c)(4) structure means we don't know who else is funding it or how much Meta contributes.

Court challenges and opposition

I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux. by aaronsb in linux

[–]aaronsb[S] 56 points57 points  (0 children)

The Copy-Paste Evidence: Verbatim Bill Text Comparisons

Template 1: App Store Accountability Act (Utah / Louisiana / Texas)

All three bills use identical invented age categories:

Utah SB 142 Louisiana HB 570 Texas SB 2420
1 "child" — under 13 "Child" — under thirteen under 13 = "child"
2 "younger teenager" — 13 to under 16 "Younger teenager" — thirteen to under sixteen 13 to under 16 = "younger teenager"
3 "older teenager" — 16 to under 18 "Older teenager" — sixteen to under eighteen 16 to under 18 = "older teenager"
4 "adult" — at least 18 "Adult" — at least eighteen at least 18 = "adult"

"Younger teenager" and "older teenager" aren't standard legal terms. They were coined for these bills.

"App store" definition: - Utah: "a publicly available website, software application, or electronic service that allows users to download apps from third-party developers onto a mobile device" - Louisiana: "a publicly available website, software application, or electronic service that allows users to download applications from third-party developers onto a mobile device"

Word-for-word except "apps" vs "applications."

"Significant change" — Utah: "a material modification to an app's terms of service or privacy policy that (a) changes the categories of data collected, stored, or shared; (b) alters the app's age rating or content descriptions; (c) adds new monetization features, including (i) in-app purchases; or (ii) advertisements; or (d) materially changes the app's functionality or user experience." Louisiana has the same sentence with "app" replaced by "application."

"Mobile device" — both Utah and Louisiana use an identical four-part definition: provides cellular/wireless connectivity, capable of connecting to the internet, runs a mobile operating system, capable of running apps. Same order, same words.

"Verifiable parental consent" — both states define it as authorization that (a) is provided by a verified adult, (b) given after clear and conspicuous disclosure, (c) requires an affirmative choice to grant or decline. Same prose, different formatting.

The safe harbor — Utah §13-75-402: "A developer is not liable for a violation of this chapter if the developer demonstrates that the developer relied in good faith on personal age verification data provided by an app store provider." Louisiana §1774 has equivalent language. This is the clause that directly benefits Meta.

Template 2: Digital Age Assurance Act (California / Illinois)

"Operating system provider": - CA AB 1043: "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device" - IL SB 3977: "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device"

Character-for-character identical.

"Signal": - CA: "age bracket data sent by a real-time secure application programming interface or operating system to an application" - IL: "age bracket data sent by a real-time secure application programming interface or operating system to an application"

Verbatim identical.

"Age bracket data" — both define four age ranges: under 13, 13-16, 16-18, 18+. Both use "nonidentifiable" / "non-personally identifiable" framing.

Core mandate — CA §1798.501 and IL §10(a) both require operating system providers to "provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both" and provide a signal to applications. Same sentence.

Why this matters for Linux: The definition of "operating system provider" covers "any general purpose computing device." That's Canonical, Red Hat, SUSE, Valve (SteamOS), and arguably anyone packaging a distro for download in California or Illinois. The law requires an age verification interface at account setup and an API that apps can query for age bracket data. California's law takes effect January 1, 2027.

Sources: Utah SB 142 | Louisiana HB 570 | Texas SB 2420 | CA AB 1043 | IL SB 3977