Whonix will add age verification api. Please don’t. Ignore it. Privacy disaster for any program in user mode including browser js to query the age verification. Which is required “by law”.
New fingerprinting mechanism: age bracket.
In two years they will say it is not enough, kids are bypassing the verification. Putting fake age. New law requires photo ID check on install. Will Whonix comply? If no, then why comply now?
Why destroy all Whonix user privacy for one authoritarian province?
Age-gating the internet does not make it safer, quite the opposite.
Nominally, maybe. In practice due to a combination of terms-of-service constraints and the implementation mechanism, if this gets implemented at all, all users will almost certainly end up with identical data stored by the “age API”, thus preserving anonymity. See:
- Low to very low risk: Most installations will likely end up with the same age-bracket value, which reduces uniqueness.
Not an option. May threaten the continued existence of the project and the lives of the project’s developers in the worst case. See:
Not guaranteed, and given that the existing laws are already legally shaky and may be knocked down easily, stricter laws sufficient to gain the attention of existing legal powers in the open-source world would probably be knocked down even more easily. To our awareness, no notable legal entity in the open-source world has expressed an intent to challenge the existing law.
We won’t have to.
The age verification thing is a serious issue. The present law might be relatively harmless, but it builds infrastructure that can be built upon later to do real harm.
In two years they will say it is not enough, kids are bypassing the verification. Putting fake age. New law requires photo ID check on install. Will Whonix comply? If no, then why comply now?
Agreed.
Arraybolt3’s reasoning might be more relevant if we actually had time to implement age verification. But according to reporting by the Lunduke Journal at Brazil Law: All OS's Have 13 Days to Add Age Verification (not always the most reliable source, but the source that I have nonetheless), Brazil has an age verification law that goes into effect in two weeks. I do not think an age verification system will be ready for Debian GNU/Linux Trixie within 2 weeks.
Another option is to follow the MidnightBSD approach to exclude residents of certain jurisdiction which have these age verification systems (MidnightBSD Responds to California's Age Verification Law by Excluding California). This option can be implemented within 2 weeks.
My understanding is that Encrypted Support LLC, which produces Kicksecure/Whonix, is incorporated in the Marshall Islands (http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Imprint). As far as I know, the Marshall Islands is outside the jurisdiction of any of these age verification jurisdictions. So why should Encrypted Support LLC need to comply with laws outside of its jurisdiction, from foreign governments?
Not an option. May threaten the continued existence of the project and the lives of the project’s developers in the worst case.
I do not understand why it would threaten the continued existence of the project, given that the organization in charge of the project is not incorporated in one of these age verification jurisdictions. I do not envision California, Colorado, or Brazil sending assassins to kill developers who do not comply with these laws. As for whether CIA/NSA/Mossad/GCHQ/Pete Hegseth would do anything like that, I assume their decision to do or not do such an operation would not be made on the basis of whether or not Encrypted Support LLC complies with foreign age verification laws.
1Broker, a Marshall Islands-based securities dealer and bitcoin trading platform, was recently taken down by the US authorities. The FBI seized the domain of 1Broker, shutting down the platform for allegedly violating money laundering regulations and distributing securities as an unregistered dealer.
It does not seem like we are at this point yet.
Following a recent U.S. district court’s ruling, foreign companies operating cloud-based services may find themselves subject to federal long-arm jurisdiction under the Federal Rules of Civil Procedure 4(k)(2), even if they have no physical presence in the United States.Foreign Cloud-Based Service Providers May Be Subject to Personal Jurisdiction in the United States | Morrison & Foerster LLP - Social Media - JDSupra
But this is a ruling in U.S. jurisdiction, not in Marshall Islands jurisdiction. It still matters if the U.S. passes a federal age verification requirement and uses their influence to strongarm the Marshall Islands. But right now, California, Colorado, and Brazil are the relevant governments in question.
There are more states involved than just California and Colorado (New York is a recent newcomer to the party). As for what would and would not warrant international legal action, we can only speculate. Kicksecure and Whonix have a strong “paranoid security” philosophy behind them, and part of that includes legal security.
new wiki comparison table:
Jurisdiction Applicability and Enforcement Comparison Table
And this would take time. First, wait for 2027… Getting investigated… Domain seizure… But this is a risky, unsuitable path forward.
Unfortunately, I am convinced that this approach may be insufficient / risky. Detailed, reasoning:
Prohibiting California residents in the Terms of Service
(Expanded just now.)
Once a ruling in the U.S. has been made, the legal risk of enforcement may massively increase. The state may have tools available such as Piercing the corporate veil - Wikipedia and Enforcement of foreign judgments - Wikipedia.
Won’t help. New wiki chapter: Non-U.S. Legal Entity
Addressed here:
Legal Issues
I created a meta-topic in Privacy Guides Community referencing both the Qubes OS and Whonix Forum topics:
Wiki pages claim no other major operating system developer has decided anything. Not any of the free software organizations have announced anything: “At the time of writing, no statements by FSF, GNU, FSFE, OSI or EFF existed to the knowledge of the author.” They are still consulting with legal. Aside from MidnightBSD.
Two options existed:
Wait for other large orgs with legal teams to decide and possibly resist. Wiki says Whonix devs have no lawyer consultation, gain benefit of their legal analysis.
Proactively notify everyone how you are complying and encourage them to follow.
Why pick 2?
Will Whonix update in time to comply with the Brazil law? It comes into effect March 17. Likely only the MidnightBSD approach can be implemented in time. Is there urgency over violating the Brazil law? Or only American? Which jurisdictions are respected or ignored?
Wiki claims no privacy loss because all users are 18. Under 18 age entries are rejected. Strange that TOS exclusion of California is not valid. But TOS exclusion of under 18 is. Inevitable that stricter measures will be required “by law” later. Rush to compliance now is worrisome to users who know that. You write a lot about laws and gaining attention of legal powers. But instead of waiting for legal powers of other large orgs to examine you have rushed to comply. Why pick 2?
Most of this is speculation or asking questions that are still unanswered and being researched. Implementing the required API isn’t the only solution possible, it’s only one of several, and rather than running out of time by pursuing only one and trying the others later, we’re investigating / pursuing multiple solutions at once.
Before any action affecting users is taken, an announcement will be made. (Follow Whonix Developments)
How do you know that?
Speculation: It seems untypical. On other occasions, organisations have commented already during the drafting process of the law. It seems this law has slipped through without noticing. And even if they are consulting with legal, at least a statement “we’ll be commenting on this later” I would guess would be consistent with past behavior.
The wiki is making no such statement.
The wiki is not a law blog by a law firm. And even law firms writing law blogs are stating disclaimers such as “this is not legal advice” or lawyers sometime say when talking in public “I am a lawyer, but I am not your lawyer”.
This hasn’t been done.
All that has happened is a draft wiki page and discussions.
Since upstream already started working on a implementation [1], it makes sense for us to comment on it. That increases the chances, that the implementation will be “solid”, have good technical properties such as opt-out, does not make Maintainability significantly harder and does not require a derivative fork/patch//re-compilation.
[1]
You’re doing your own legal research. That’s dangerous; the law is weird and complicated and uses counterintuitive categories. I think you’re actually making real mistakes, both about the actual laws and about the enforcement risks, but I’m not a lawyer either, so I won’t argue about them. Please think about getting legal advice from a specialist. The EFF or somebody like that might be able to set you up.
Also, as long as I’m writing, I think it’s also a mistake to use forum software that requires users to give email addresses when signing up. It’s going to deter a lot of the people who really need your project, and maybe give you a badly skewed view of your users.
And thank you for the vast amounts of time you’ve poured into this project.