GrapheneOS refuses to comply with new age verification laws for operating system

Original Article ↗ Hacker News Discussion ↗

GrapheneOS stance and consequences

  • GrapheneOS publicly commits to never collecting personal data or IDs, even if laws demand OS-level age verification.
  • Supporters applaud this as principled resistance to surveillance and “puritanical” regulation.
  • Critics call it symbolic or “virtue signaling,” noting GrapheneOS doesn’t sell hardware and can simply be blocked or excluded from markets.
  • Some argue they should seek creative, privacy-preserving compliance rather than binary refusal, or accept being unavailable in some jurisdictions.

Motorola partnership and distribution

  • Key tension: US laws versus GrapheneOS’s stance.
  • One camp expects Motorola to avoid preinstalled GrapheneOS in affected US states, possibly limiting the partnership’s impact.
  • Others say the main benefit is better hardware security and official support, not preinstallation; stock Motorola Android can ship in regulated markets, with GrapheneOS as a user-installed option.
  • There’s disagreement about Motorola’s primary markets (US vs LATAM/Europe), which affects how much they can “route around” US state laws.

Nature of the age-verification laws

  • California: OS must collect birth date and expose an API returning age bands (e.g., <13, 13–16, etc.) to app developers. Data may need to persist until the user turns 18.
  • New York proposals reportedly add biometric checks.
  • Several commenters propose “malicious compliance” (fake DOB, APIs that respond only after 18 years, or extremely slow “real time” answers), while others doubt courts would tolerate obvious loopholes.

Systemd / Linux ecosystem reaction

  • Systemd added an age field tied to user accounts; defenders frame it as a simple local restriction tool, not full verification.
  • Opponents see it as Linux capitulating to invasive laws and creating a precedent; some talk about moving to non-systemd distros or BSD.
  • Others note that distros can patch this out and that commercial backers must satisfy legal requirements if they sell in regulated jurisdictions.

Privacy, child safety, and motives

  • One side: OS-level age signals are the “least bad” way to support child protection, offloading checks from every site/app and avoiding ID uploads to third parties.
  • The other side: these laws are portrayed as “moat” or surveillance infrastructure, driven by large platforms (e.g., Meta) to shift liability and obtain fine-grained age data.
  • There is extensive debate about whether better parental controls and content labeling (e.g., RTA-style flags) would suffice without centralized age APIs.

Legal realism and enforcement

  • Some technologists initially treat the law like code to be “hacked,” but others stress that enforcement is political and power-based: small projects can’t count on friendly interpretations.
  • A recurring theme is that the “intent” of these laws, not just their text, will guide judges, making clever technical workarounds risky for smaller actors.