Objections to systemd age-attestation changes go overboard
In early March, Dylan M. Taylor submitted a pull request to add a field to store a user's birth date in systemd's JSON user records. This was done to allow applications to store the date to facilitate compliance with age-attestation and -verification laws. It was to be expected that some members of the community would object; the actual response, however, has been shockingly hostile. Some of this has been fueled by a misinformation campaign that has targeted the systemd project and Taylor specifically, resulting in Taylor being doxxed and receiving death threats. Such behavior is not just problematic; it is also deeply misguided given the actual nature of the changes.
Age-attestation and -verification laws that place requirements on operating-system providers have passed in California and Brazil, and are being discussed in many other states and locations. This has led a number of Linux distributions to consider ways that they can comply with the laws if necessary. One idea that is being worked on is to add parental controls to the XDG Accounts portal which is a mechanism that allows applications to query for information about users, such as their name or avatar image. It can gather this information from various data sources, including systemd.
Taylor's changes would allow a system administrator to set and modify each user's birth date stored as birthDate in the YYYY-MM-DD format. Unprivileged users would not be able to modify the date, but could query it, so applications could retrieve the user's age via the Accounts portal. Note that this change does not automatically require or even prompt a user to provide their birth date; it only provides a way for applications to store the date. In other words, Taylor has only implemented one feature that could be used in a larger age-attestation system. His work does not implement an attestation system on its own, nor would such systems be prevented if the change were reverted; the birth date could simply be housed in another data store.
There have been some reasonable objections to the feature; as one example, Jeremy
Soller, who works for System76, said
that the company had been in talks with legislators, and it might be that open-source
operating systems would be exempted from these laws in the end. Even if that does not
happen, he worried that a dependency on systemd "which is decidedly unportable to
non-Linux
" systems, would require two implementations to exist.
Zbigniew Jędrzejewski-Szmek replied
that while it was possible California's law would be changed, "similar ideas are
popping up in other contexts and it's unlikely that they'll all go
away
". Ultimately, Luca Boccassi merged Taylor's changes after a bit of
back-and-forth about the implementation.
Age attestation vs. verification
It is worth calling out that there is also a substantial difference between age attestation and age verification; attestation allows users or administrators of a system to provide information about their age. The person controlling the device is supplying the information. What is being discussed, for Linux systems, is a way for the user or administrator to supply the user's birth date. How that will be implemented for various desktop environments and distributions is still up in the air; the systemd birthDate field would be a small piece of any attestation systems that wind up being implemented.
The most important distinction is that an attestation system is under the control of the local administrator of a system; no documents are being checked or handed to a third party. Nothing prevents a person controlling the Linux system from supplying a random date rather than the accurate date. The services used for age attestation could also be disabled entirely by the administrator of the system, of course. Just because a Linux distribution ships a feature does not mean that users of the distribution are obliged to keep it turned on; but it should serve to satisfy the legal requirements placed on operating-system suppliers.
Age verification, on the other hand, generally requires furnishing a third party
with some kind of proof—such as government identification—about one's
birth date. There are many reasons to strongly object to age-verification schemes;
privacy concerns and the potential for identity theft when third-party providers
inevitably suffer data breaches are two that quickly come to mind. However, age
verification is not what is being considered here. The fact that the two are being
conflated, though, is not surprising—especially since Taylor used the term
"age verification
" in his pull request.
Controversy
As a rule, it does not take a great deal to cause a controversy in the open-source community. We are, to put it mildly, an opinionated bunch. Many people choose to use Linux because they wish to have full control over their operating system and applications; a change that offers exactly zero real benefit to the user other than compliance with a poorly thought-out law is not going to spark joy. One could predict a certain amount of objection and opposition to implementing age attestation no matter what.
However, the controversy appears to have been helped along by a few actors
looking to stir the pot. In a discussion on the Debian developer mailing list about
age-attestation systems, Otto Kekäläinen pointed
to a site called The TBOTE Project that
has been publishing information on the lobbying campaign to push an
age-assurance law that has been introduced in a number of states across the
US. Age assurance means that a device provides attestation of a user's age that has
been verified, rather than self-supplied. For example, New York's Senate Bill
S8102A requires "manufacturers of internet-enabled devices to conduct age
assurance to determine a user's age category
". This means that a device
owner will likely need to perform some kind of age verification, and then the result
would be stored locally.
The site also dedicates a
section to the systemd project. To say it is conspiratorial in nature would
be an understatement. It attempts to cast the systemd change as a sinister plot
that has "altered the identity infrastructure of every major Linux
distribution
". While the site does not shy away from casting a spotlight on
individuals in the systemd project, it does
not disclose the person or persons who are behind The TBOTE Project. Aaron
Rainbolt said that
the site had been "used as part of a doxxing/harrassment attack
" against
an individual, which seems to refer to Taylor. "Given that the person running
this repo actively helps doxx people, I consider them (semi-)malicious"
.
The TBOTE Project site is not alone in trying to fan the flames. Sam Bent, who describes himself as a YouTuber and content creator on his LinkedIn profile, published a hit piece against Taylor on March 20. It would also be best described as "malicious"; the less said about its contents the better, but it seems to have inspired some number of personal attacks against Taylor well beyond the usual objections in a GitHub pull-request comment thread. In an interview with the "It's FOSS" web site, Taylor described some of the backlash he has received; it is far beyond what an open-source contributor (or anyone else) should ever have to put up with:
I understood that the change was not going to be popular, but I was expecting civil discourse and a level-headed response. Things like death threats and harassment are not okay, especially when it negatively impacts unrelated third parties. However, the doxxing (and I am NOT just talking about my name, email and resume – that stuff is on my website, and is reasonably public. I don't commit with a pseudonym and I think it's reasonable to critique my contributions), hate mail, racism, homophobia, antisemitism, editing of my photo, turning my profile picture into memes and making fun of my appearance, etc. made me lose a bit of faith in the FOSS community. I'm really disappointed at the reaction. We should do better than this.
The unpleasant truth
The frustration and anger over government and industry pushes for age verification is justified; taking it out on open-source maintainers or projects is not. Reasonable people can disagree whether it is likely that, say, California would choose to prosecute Linux vendors or projects for non-compliance. We can certainly hope that logic would prevail, but one only needs to look around at the world today to determine that logic wins the day much less often than it should. Hoping that legal authorities will choose to overlook a project, or that the stars will align to provide a positive legal outcome, is not an effective strategy when it comes to avoiding real legal risk.
If a person or project wishes to take on that risk to challenge such laws, that is commendable; but demanding that another person or project take on such risks is unreasonable. The monetary costs of mounting a defense against a state government, even if ultimately successful, would be substantial and more than many projects could afford.
The efforts to push age-verification laws and similar unpleasantness did not show up on the open-source community's doorstep without warning. These political winds have been gathering strength for years; if they are to be challenged, they need to be dealt with by movements and organizations designed to take them on. Rather than harassing individual maintainers, for example, concerned people would do better to put their weight behind organizations like the Electronic Frontier Foundation (EFF) that have spent decades fighting exactly this sort of thing.
It is possible to counter legislative threats to open source and privacy without lobbing death threats at open-source maintainers (or anyone else). The European Union's Cyber Resilience Act (CRA) is a somewhat recent example. The CRA sets automatic security update and incident report requirements for products with digital elements; in non-legislative speak, this means software and devices that run software. The original drafts of the legislation would have saddled freely available open-source software with the same requirements as commercial products.
One might consider it reasonable and even desirable, for example, to require the manufacturer of a router, mobile phone, or car-entertainment system to provide security updates. But the same requirements would have applied to open-source maintainers and projects even when no money had changed hands. That, of course would have been a disaster for open source. FOSS organizations, such as the Eclipse Foundation, Linux Foundation Europe, Open Source Initiative, as well as several others pushed back politely, but firmly, and succeeded in having the CRA draft modified to exempt open-source software.
Attacking open-source maintainers, projects, or Linux distributions is not going to stop government and industry pushes for age verification. In fact, it will not be effective at anything except contributing to maintainer burnout, weakening the larger community, and perhaps encouraging developers to do more behind closed doors—or to stop contributing entirely.