Whonix adding age verification?

arraybolt3 · March 6, 2026, 10:28pm

Bear in mind that the law dictates what the OS devs have to do, not the user. There also would need to be a mechanism to ask the user what jurisdiction they’re in because what’s mandatory in one jurisdiction may illegal in another, and there’s no reliable way to geolocate a PC user for this purpose.

disgusted23 · March 6, 2026, 11:22pm

Hi, thanks for answering!

I get where you and all devs are coming from.

There is not an easy answer that satisfies everyone.

Patrick · March 7, 2026, 7:29am

Written age-api, Security Impact just now.

Written Legal impact in case malware is tampering with the age API just now.

Wiki chapter which predated age API by years: Legal Issues

Patrick · March 7, 2026, 7:49am

Moderation comment

Nothing has been done yet. This is draft and discussion status only.

As a prerequisite for future postings here:

Read the relevant law(s) in full. It makes no sense to comment without knowing what the law actually says.
Read the current draft. Many important details are already documented: Age Signaling and Interface Documentation and Design for Kicksecure (and Whonix)
Use search engines and existing documentation first. See: Utilize Search Engines, Documentation and AI
(Optional) Discuss your idea with AI to sanity-check it and reduce back-and-forth.
If you are convinced you have a great contribution to make, comment here with the relevant citations, links.

This is in line with: Development Discussion Policy
Goal: preserve developer time.

In case any changes are made, an announcement will be posted here: Follow Whonix Developments

disgusted23 · March 9, 2026, 3:55pm

Hi Patrick, this post is in line with what you stated up there. these are supreme court cases:

Gibbons vs Ogden 1824
states do not have authority to regulate things so that they pose a restriction or difficylty in interstate commerce (court has said repeated ly that internet traffic counts just like cars and buses for “inter-state commerce.”)

Shekton(sp?) vs Tucker 1960
reinforced that any state interfering with or denying Constitutionally guaranteed rights is not able to do that. This clearly violates my 1st amendment right. I dont live in California and complying with their law infringes on my free speech. I never intended to share my age for example

Bush v. Gore 2000
focus on uniform standards; it stress that confusing or misleading laws will be stricken

Reno v. ACLU 1997
struck down procisions of CDA that imposed restrictions on online speech (CDA mean “communication decency act”)

Ft. worth v. Texas 2005
laws imposing restrictions on technology without clear justification could violate 1st amendment

Netherlands vs United States
dealt wth the limits on states ability as far as passing laws that reaches over their border

Edit: forgot to tell that california is violating its own law with this new law! They have something where code is “protected speech.” So, how can code as protected speech and the new law trying to force an unwilling change in that same code even co-exist?

crabprogrammer · March 9, 2026, 9:10pm

I think people reading and participating in this topic should keep in mind one more thing that is very important to understand.
The developers of Whonix can’t really openly discuss loop holes or anything similar to that because the law says that the developers have to make a good faith effort in their implementation. And discussing loop holes could be used in court as evidence of not acting in good faith.
The developers are not anonymous.

Another very important point about this what becomes obvious from this new law and how we react to it, is whonix is not censorship resistant. The OS has to follow the laws and politicians can destroy Whonix at any time by making a new law. Whonix devs are non anonymous so they would have to comply.
Fortunately, this new law is not the end of the world. But it does seem like a first step. A test. They’re planting the foundation which can be used to destroy us in the future in further steps.

So we should think about how it’s possible to bring in new whonix developers who are anonymous. And find ways to host and distribute Whonix that are censorship resistant. Maybe by using IPFS and p2p filesharing torrenting.

HPOA909 · March 9, 2026, 11:33pm

I have read the bill once again and shall be a military language that shall be interpreted and understand what it means, necessarily. Based on the premise of Section F:

(f) This title does not apply to any of the following:

(1) A broadband internet access service, as defined in Section 3100.

(2) A telecommunications service, as defined in Section 153 of Title 47 of the United States Code.

(3) The delivery or use of a physical product.

It does not applied to physical items, ISPs, and phones for financing as such. It shall only apply to the Operating System levels in which they might encourage encrypted data/signal to those apps that they really needed.

HPOA909 · March 9, 2026, 11:39pm

Additional notes:

Based upon re-reading the bill, it’s a class-base system.
It only given the design overall of what the bill’s intentions were.
The bill only restrict the collection of age bracket data/signal whenever or whatever reasons that the applications necessary needed for.

mrxmr · March 10, 2026, 9:56am

[… 8 lines elided]

Any implementation of age verification would be fully open-source and
treated identically to every other package in the system.

This doesn’t give relevant assurances to WhonixOS users. We are using
this OS for privacy features. I don’t care if a self-doxx system made
open source or not. It is a self-doxx system, and has no place in a
privacy OS.

Patrick · March 10, 2026, 11:19am

System76:

Illinois Bill IL SB3977 (Children’s Social Media Safety Act)
- discussion: https://legiscan.com/politicorps/debate/fvwy4zdg/thread/a80v0s0w
- text: https://legiscan.com/IL/text/SB3977/2025
  - (found here: Re: On the unfortunate need for an "age verification" API for legal compliance reasons in some U.S. states)

There is no magic solution to this. Getting new developers - anonymous or non-anonymous - would always be good - completely unrelated to any laws.

The issue is, there is no sustainable business model. Let alone, for a completely anonymously run project.

Related: Open Source Business Models

arraybolt3 · March 10, 2026, 3:35pm

Quoting an earlier post of mine from above:

FranklyFlawless · March 16, 2026, 1:46pm

Looks like Ageless Linux is claiming Kicksecure and Whonix will be complying with the age verification API:

Distribution Status Ageless Response

Kicksecure / Whonix Aaron Rainbolt is actively working on a compliance path. Proposed the cross-distro D-Bus interface. Plans to store only age bracket data, not birthdates, with user-triggered updates when they cross bracket boundaries. Privacy researchers have questioned whether any age verification mechanism is compatible with privacy-focused operating systems. Complying

I am not authorized to formally/legally dispute this claim on behalf of Kicksecure and/or Whonix, so this post is merely a call-to-action for either you or @Patrick to address.

arraybolt3 · March 17, 2026, 12:02am

Thanks, submitted a PR:

xander · March 17, 2026, 6:05pm

who wait why do age verification when they use node js

Patrick · March 17, 2026, 6:55pm

Who uses NodeJS?

arraybolt3 · March 18, 2026, 4:08am

Quoting from our age-api research page on the Kicksecure wiki:

Current assessment: Unlikely: Kicksecure and Whonix are currently unlikely to implement an age API.

Possible revised assessment: This may later be updated to “highly unlikely” or “no changes planned”.

(Mainly posting this here so that people who come here elsewhere from the Internet don’t get confused.)

rideordie · March 21, 2026, 10:57am

Systemd has added age-related metadata. Not in itself verification, but the groundwork for age verification via systemd.

https://old.reddit.com/r/linux/comments/1rxt50c/systemd_has_merged_age_verification_measures_into/

Sorry if this has already been posted, but Discourse lazy loads and I can’t search for it.

Since Whonix is downstream from Debian, and Debian uses systemd, and Whonix has a “we don’t mess with upstream” policy, at least part of the age verification infrastructure will already be baked into Whonix. Nevertheless, as of now, it’s just a metadata field, like name and email address. It will be up to specific operating systems to decide what to do with it–unless more gets baked into systemd at the behest of corpo-Linux. We are in a frog in the pot moment, and we should stick to our principles. I’m prepared to contribute to the effort, in whatever modest way I can, in whatever direction Patrick decides.

FranklyFlawless · March 21, 2026, 4:39pm

Contribute by Taking on Legal Responsibility

It may be unrealistic to expect developers who are already very busy to personally take on the risk of a legal case. So what is the alternative for someone who still wants to help this effort?

One possible alternative would be volunteers who are willing to be personally identified. This could include providing their real name, address, and any identity verification that may be required. They would need to complete all required paperwork, such as forms, registrations, contracts, and other legal documents. They would also need to accept full personal liability for whichever project(s) they choose to cover. In other words, they would personally take on the legal risk and possible financial costs if something goes wrong.

This is based on the as-yet unconfirmed assumption that volunteers can legally take on this kind of responsibility at all.

If such volunteers existed and were willing to challenge age-API in court, for example by arguing that “code is speech” or by using any other arguments recommended by legal counsel, more projects might be willing to refuse compliance by not implementing age-API.

FranklyFlawless · March 24, 2026, 5:44pm

I got in contact with a representative from the Software Freedom Conservancy during the weekend. I had a discussion with them about the age verification API and what they can do to help Kicksecure and Whonix, and they said they are able to provide various fiscal sponsorship services, including basic legal advice/services, subject to joining SFC:

Software in the Public Interest (SPI) also offers similar fiscal sponsorship services:

You may already know about SPI as Debian is one of their associated projects, among other Linux distributions:

Otherwise, the SFC representative mentioned that there will be an age verification API article on the SFC website sometime in the near future, so I can add that as a reference to its respective Kicksecure Wiki page when it is eventually published.

FranklyFlawless · March 29, 2026, 2:54am

Other than Ageless Linux, there is another GitHub repository attempting to keep track of all of the Linux distributions’ compliance statuses with/against age verification:

Kicksecure and Whonix are mentioned in an issue, which references the pull request from the Ageless Linux GitHub repository earlier in this topic:

github.com/BryanLunduke/DoesItAgeVerify

Statements by privacy focused OSes

opened 10:04AM - 21 Mar 26 UTC

ryrona2

**Current status as of March 21, 2026:** SecureBlue intend to comply with age ve…rification laws, QubesOS will follow Fedora decision, KickSecure and Whonix were intending to comply but are now undecided, Tails is undecided, GrapheneOS will not comply. ## SecureBlue SecureBlue has officially expressed interest in complying with the new laws, while simultaneously urging users to fight back against the laws. Official statement: https://bsky.app/profile/secureblue.dev/post/3mgddiwxxas2y > California recently passed, and Colorado and NY recently introduced, age verification legislation targeting OS providers that is so imprecisely written that it's unclear how to comply. If you live in one of those states, contact your state senator and rep asking them to oppose this legislation. GitHub ticket that clarifies this is the "public position" from the project regarding these age verification laws: https://github.com/secureblue/secureblue/issues/2008#issuecomment-4006617689 Inofficial statement they have no other option than to comply (see also earlier posts where they actively discuss how to implement age verification): https://discussion.fedoraproject.org/t/california-age-verification/181968/167 > Respectfully, repeating your desire for distros to decline to comply with this law isn’t a particularly productive contribution to the conversation. I understand completely the opposition to this legislation, which is frankly sophomoric in its imprecision regardless of how well-intentioned it may be. That said, asking other people and organizations to ignore liability placed on them by legislation is barking up the wrong tree. ## QubesOS A representative from the QubesOS development team has inofficially said they intend to do whatever Fedora does: https://github.com/QubesOS/qubes-issues/issues/10744#issuecomment-3997244349 > Regardless of the issues surrounding jurisdiction, enforcement, etc it should be obvious that Qubes is a derivative distribution. Whatever solution (if any) is given upstream, we will be following. It seems to me entirely an upstream issue. ## KickSecure and Whonix KickSecure and Whonix were intending to comply with the law, and said many times they have no choice, and that they value legal security for their developers and users. They were actively developing a "privacy-preserving" implementation for age verification. But after overwhelming opposition by their current user base, they have now changed their stance to that they are "unlikely" to comply with the law (ie, undecided). Official statement: https://www.kicksecure.com/wiki/Age-api#Status_of_Kicksecure_and_Whonix > At the moment, Kicksecure and Whonix do not expect to add an age API. This assessment may become more definite later. If future releases or upgrades require changes in this area, those changes would be announced in advance. One of the developers has inofficially clarified the change of stance here: https://github.com/agelesslinux/agelesslinux.org/pull/1 > Since the initial discussion I started on behalf of Kicksecure and Whonix, plans have changed, and we are now "unlikely to implement an age API." ## Tails A representative from the Tails development team has inofficially said they are discussing the matter internally: https://gitlab.tails.boum.org/tails/tails/-/work_items/21457#note_279297 > Thank you. We're aware and discussing this within Tor Project, so I'd rather not track it here separately. ## GrapheneOS GrapheneOS will not comply with the laws or take any action at all due to the laws. Official statement: https://grapheneos.social/@GrapheneOS/116261301913660830 > GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account. GrapheneOS and our services will remain available internationally. If GrapheneOS devices can't be sold in a region due to their regulations, so be it. Another earlier inofficial statement: https://discuss.grapheneos.org/d/32410-does-grapheneos-plan-to-comply-with-os-level-age-verification-laws/99 > We're under no more obligation to filter the internet for California than we are to do it for China. Neither blocks access to the GrapheneOS website or services. If California wants to block access to those then they're welcome to pass a law implementing their own Great Firewall. The most action they could get from us is replacing Los Angeles and San Jose servers with Las Vegas or Seattle.