Whonix will add age verification api. Please don’t. Ignore it. Privacy disaster for any program in user mode including browser js to query the age verification. Which is required “by law”.
New fingerprinting mechanism: age bracket.
In two years they will say it is not enough, kids are bypassing the verification. Putting fake age. New law requires photo ID check on install. Will Whonix comply? If no, then why comply now?
Why destroy all Whonix user privacy for one authoritarian province?
Age-gating the internet does not make it safer, quite the opposite.
Nominally, maybe. In practice due to a combination of terms-of-service constraints and the implementation mechanism, if this gets implemented at all, all users will almost certainly end up with identical data stored by the “age API”, thus preserving anonymity. See:
- Low to very low risk: Most installations will likely end up with the same age-bracket value, which reduces uniqueness.
Not an option. May threaten the continued existence of the project and the lives of the project’s developers in the worst case. See:
Not guaranteed, and given that the existing laws are already legally shaky and may be knocked down easily, stricter laws sufficient to gain the attention of existing legal powers in the open-source world would probably be knocked down even more easily. To our awareness, no notable legal entity in the open-source world has expressed an intent to challenge the existing law.
We won’t have to.
The age verification thing is a serious issue. The present law might be relatively harmless, but it builds infrastructure that can be built upon later to do real harm.
In two years they will say it is not enough, kids are bypassing the verification. Putting fake age. New law requires photo ID check on install. Will Whonix comply? If no, then why comply now?
Agreed.
Arraybolt3’s reasoning might be more relevant if we actually had time to implement age verification. But according to reporting by the Lunduke Journal at Brazil Law: All OS's Have 13 Days to Add Age Verification (not always the most reliable source, but the source that I have nonetheless), Brazil has an age verification law that goes into effect in two weeks. I do not think an age verification system will be ready for Debian GNU/Linux Trixie within 2 weeks.
Another option is to follow the MidnightBSD approach to exclude residents of certain jurisdiction which have these age verification systems (MidnightBSD Responds to California's Age Verification Law by Excluding California). This option can be implemented within 2 weeks.
My understanding is that Encrypted Support LLC, which produces Kicksecure/Whonix, is incorporated in the Marshall Islands (http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Imprint). As far as I know, the Marshall Islands is outside the jurisdiction of any of these age verification jurisdictions. So why should Encrypted Support LLC need to comply with laws outside of its jurisdiction, from foreign governments?
Not an option. May threaten the continued existence of the project and the lives of the project’s developers in the worst case.
I do not understand why it would threaten the continued existence of the project, given that the organization in charge of the project is not incorporated in one of these age verification jurisdictions. I do not envision California, Colorado, or Brazil sending assassins to kill developers who do not comply with these laws. As for whether CIA/NSA/Mossad/GCHQ/Pete Hegseth would do anything like that, I assume their decision to do or not do such an operation would not be made on the basis of whether or not Encrypted Support LLC complies with foreign age verification laws.
1Broker, a Marshall Islands-based securities dealer and bitcoin trading platform, was recently taken down by the US authorities. The FBI seized the domain of 1Broker, shutting down the platform for allegedly violating money laundering regulations and distributing securities as an unregistered dealer.
It does not seem like we are at this point yet.
Following a recent U.S. district court’s ruling, foreign companies operating cloud-based services may find themselves subject to federal long-arm jurisdiction under the Federal Rules of Civil Procedure 4(k)(2), even if they have no physical presence in the United States.Foreign Cloud-Based Service Providers May Be Subject to Personal Jurisdiction in the United States | Morrison & Foerster LLP - Social Media - JDSupra
But this is a ruling in U.S. jurisdiction, not in Marshall Islands jurisdiction. It still matters if the U.S. passes a federal age verification requirement and uses their influence to strongarm the Marshall Islands. But right now, California, Colorado, and Brazil are the relevant governments in question.
There are more states involved than just California and Colorado (New York is a recent newcomer to the party). As for what would and would not warrant international legal action, we can only speculate. Kicksecure and Whonix have a strong “paranoid security” philosophy behind them, and part of that includes legal security.
new wiki comparison table:
Jurisdiction Applicability and Enforcement Comparison Table
And this would take time. First, wait for 2027… Getting investigated… Domain seizure… But this is a risky, unsuitable path forward.
Unfortunately, I am convinced that this approach may be insufficient / risky. Detailed, reasoning:
Prohibiting California residents in the Terms of Service
(Expanded just now.)
Once a ruling in the U.S. has been made, the legal risk of enforcement may massively increase. The state may have tools available such as Piercing the corporate veil - Wikipedia and Enforcement of foreign judgments - Wikipedia.
Won’t help. New wiki chapter: Non-U.S. Legal Entity
Addressed here:
Legal Issues
I created a meta-topic in Privacy Guides Community referencing both the Qubes OS and Whonix Forum topics:
Wiki pages claim no other major operating system developer has decided anything. Not any of the free software organizations have announced anything: “At the time of writing, no statements by FSF, GNU, FSFE, OSI or EFF existed to the knowledge of the author.” They are still consulting with legal. Aside from MidnightBSD.
Two options existed:
Wait for other large orgs with legal teams to decide and possibly resist. Wiki says Whonix devs have no lawyer consultation, gain benefit of their legal analysis.
Proactively notify everyone how you are complying and encourage them to follow.
Why pick 2?
Will Whonix update in time to comply with the Brazil law? It comes into effect March 17. Likely only the MidnightBSD approach can be implemented in time. Is there urgency over violating the Brazil law? Or only American? Which jurisdictions are respected or ignored?
Wiki claims no privacy loss because all users are 18. Under 18 age entries are rejected. Strange that TOS exclusion of California is not valid. But TOS exclusion of under 18 is. Inevitable that stricter measures will be required “by law” later. Rush to compliance now is worrisome to users who know that. You write a lot about laws and gaining attention of legal powers. But instead of waiting for legal powers of other large orgs to examine you have rushed to comply. Why pick 2?
Most of this is speculation or asking questions that are still unanswered and being researched. Implementing the required API isn’t the only solution possible, it’s only one of several, and rather than running out of time by pursuing only one and trying the others later, we’re investigating / pursuing multiple solutions at once.
Before any action affecting users is taken, an announcement will be made. (Follow Whonix Developments)
How do you know that?
Speculation: It seems untypical. On other occasions, organisations have commented already during the drafting process of the law. It seems this law has slipped through without noticing. And even if they are consulting with legal, at least a statement “we’ll be commenting on this later” I would guess would be consistent with past behavior.
The wiki is making no such statement.
The wiki is not a law blog by a law firm. And even law firms writing law blogs are stating disclaimers such as “this is not legal advice” or lawyers sometime say when talking in public “I am a lawyer, but I am not your lawyer”.
This hasn’t been done.
All that has happened is a draft wiki page and discussions.
Since upstream already started working on a implementation [1], it makes sense for us to comment on it. That increases the chances, that the implementation will be “solid”, have good technical properties such as opt-out, does not make Maintainability significantly harder and does not require a derivative fork/patch//re-compilation.
[1]
You’re doing your own legal research. That’s dangerous; the law is weird and complicated and uses counterintuitive categories. I think you’re actually making real mistakes, both about the actual laws and about the enforcement risks, but I’m not a lawyer either, so I won’t argue about them. Please think about getting legal advice from a specialist. The EFF or somebody like that might be able to set you up.
Also, as long as I’m writing, I think it’s also a mistake to use forum software that requires users to give email addresses when signing up. It’s going to deter a lot of the people who really need your project, and maybe give you a badly skewed view of your users.
And thank you for the vast amounts of time you’ve poured into this project.
We don’t have unlimited money to get other people to do the research for us. If nothing else, having something to show to a lawyer will likely be valuable if one ends up involved at some point.
Moderation comment: one forum post = one topic please. Existing post on the topic of email requirements:
(I agree with the wish to avoid needing an email to sign up, this is just trying to keep things “tidy”.)
I understand that you don’t have money. That’s why I’m suggesting people like the EFF. If they have the resources themselves, their help is free. And they may also be able to connect you with non-EFF lawyers who’ll do some pro bono work. Maybe you could also use some of the analysis from other projects.
Sorry about the split topics.
As a general matter, preliminary internal research is a standard part of responsible preparation.
Based on my prior experience with legal matters involving third parties, organizations I have worked with, and legal consultations in which I have had the opportunity to participate, it is generally preferable to approach specialist counsel with the relevant facts, questions, and background materials already organized. Better preparation tends to improve the quality and efficiency of subsequent legal review.
That is already in progress.
I see that most likely whonix will add age verification. Taking into account everything said here, consider discussing loopholes of this whole situation with legal advisors. For example, instead of asking a user to enter an age inside the OS itself, add a pop up on the website when user tries to download the ISO asking if user is at least 18 years of age, and based on that allow download if user answered yes.
Technically, you “provided” interface to enter “age” before “installation”, it’s just the options are only “At least 18 years of age” and “Not at least 18 years of age”, which doesn’t contradict the law. They don’t mandate you to present multiple options (under 13, 13 and < 16, 16 and < 18), you could put just one and explain (justify) this by stating Whonix OS is only for individuals “At least 18 years of age” if they are petty with it. They specifically state that you can add “birth date, age, or both” (you can put just that age choice option alone), so entire hemorrhoids of birth date submitting can be avoided by presenting that specific option.
Therefore, once the system is installed, you add the variable that user is “At least 18 years of age = True”. It doesn’t really need to be anything complicated, once the apps are adjusted for “listening” to “age signal”, I can imagine they’ll likely use OS setting/api variable reader on app startup with specific age brackets reading True or False, and based on that app either starts or not (Other methods of constantly checking age every second will likely be resource intensive, so I can’t imagine any sane developer going for that).
I’m not a lawyer, but I think such a solution is worthy of discussion with legal advisors.
Also, I think that this whole OS age verification BS will just fuck up security features, I can already imagine threat actors changing the age variable to under 13 or some bad input, and unless security apps/features are coded to accept any variable definitions or run even without it (which technically would violate the old cunts’ laws) threat actors could disable any security because some old retarded cunts demand it to be used for any program running on the system. It’s of utmost importance that such laws are banned and cancelled, as it just opens more attack paths. Even if entire Linux goes “No under 18 usage”, what will save it from malware removing the variable altogether or putting bad data in it so the program shuts down? Even if safeguards for such situations were to be installed, it would violate this law anyway. What next, encrypting the variable? Anyways, this entire situation is a big malicious cluster fuck.
If the unfortunate happen and age verification was put in, Whonix would no longer be “freedom software” and that imo would be a tragedy.
I have been with Whonix from the start using it and supporting it. I believe in the product / system and I put trust in Patrick’s ability and in all the devs.
broad strokes by clueless and corrupt lawmakers threaten this work. It is not acceptable situation. Anonymity and privacy are absolutes. There are not compromise to this. It can’t be privacy and anonymity but only if the State say and according to parameters set by State.
Hypotetically, to say you do it, then next year, new york or one of those insane places wants OSes to only be available for people who believe a certain political idea. What then? Where does it end? Or does it end?
Resist this garbage. Pass the word along to anyone and everyone who will listen. educate your people about what this means
Without compliance they have NOTHING. No one has to “do” anything. Simply say NO. No age verification.
edit: remove part that has off topic stuff
This won’t be the case. Any implementation of age verification would be fully open-source and treated identically to every other package in the system. An initial concept implementation was started at GitHub - Kicksecure/age-api · GitHub; this is most likely not reflective of what the final system would look like if we needed to implement it, but it is AGPL-3+ licensed and available for anyone to read through, contribute to, fork, etc. The final implementation will adhere to this.
There are safe and unsafe ways to do that. We’re already working on the safe ways. But like explained above, we’re pursuing multiple solutions at once so that we don’t get “stuck” on one and end up with worse problems to deal with.
I understand your perspectives and opinion and I respect both. Thanks for replying.
I think that this needs to be fought hard, and immediately. Do not give an inch. Think for one moment how stupid is this: CA makes a law. I do not live there. A age verify is an intrusion into my privacy. Where I live have no such law. Why I must do what CA or other place does? Now my privacy is violated because of some asshole in other part of the world?
I gues my whole point is: the free software community should say collectively: hell no we will not do it. Realistically why even consider such a thing as to comply with something so ridiculous? And what about if I fork whatever distro implements that and simply remove the intrusive bit? Easy to do, so then what? These are not a question for you answer. It’s for all to think about themselves and decide.