Category: USA

California’s OS-based age verification law challenges open-source community

California’s OS-based age verification law challenges open-source community

California’s OS-based age verification law challenges open-source community
California’s new online safety bill, AB 1043 (the Digital Age Assurance Act), adopts a declared age model for operating systems. Under the law, which is set to take effect on January 1, 2027, when a user sets up a new device, the operating system is required to ask for their age or date of birth. This declared age will be used to curate what’s available on the app store, and can be shared with developers on request to ensure age-appropriate experiences.

An article in PC Gamer points out that this “sounds incompatible with many of today’s open source software, including Linux.” The open source community is wrestling with the problem of how to comply with the laws while also not violating core privacy principles.

The piece muses on technical solutions, quoting Jef Spaleta, project leader for popular Linux distribution, The Fedora Project, who says “this might be as simple as extending how we currently map uid to usernames and group membership and having a new file in /etc/ that keeps up with age.”

Or, “it might be as simple as that and we extend the administrative cli and gui tools to populate that file as part of account creation. That might be simplest and it solves the problem for the full ecosystem of Linux OSes. Then applications just have to start choosing to look at the file.” To Spaleta, this suggests a D-Bus Service, which allows communication between programs.

Ubuntu, another Linux distribution, is also unsure of how to respond, and says it is consulting with its lawyers before making a plan.

California age law does not compute with DB48X

The point is, in putting the onus on operating systems to collect age data, AB 1043 is causing headaches for open source nerds. Both California’s bill and a like-minded bill in Colorado, SB26-051, have drawn the ire of the creators of an open source calculator, DB48X, described as “a project to rebuild and improve upon the ‘legendary’ HP48 family of calculators and RPL programming language, and for modding newer calculators to utilise it.”

Rather than comply, DB48X has opted to restrict access for Californians and Coloradans when (and, in Colorado’s case, if) their laws come into effect. A legal-notice file for the project says “DB48X is probably an operating system under these laws. However, it does not, cannot and will not implement age verification.”

Per PC Gamer, “you know you’ve messed up when you’ve angered the math lot.”

The calculator guys are not alone. Ground News has a roundup of articles expressing variations of grievance. WebProNews says California’s law “forces a surveillance mandate on every developer – including those who can’t comply.” The Daily Economy says “California is embedding age verification directly into digital devices. For those of us concerned with personal liberties, this is an emergency.”

No verification required, actually

PC Gamer also notes the challenges of enforcing a law that means “the job of checking whether people have installed its OS falls onto Californian authorities to deal with.”

“Both Californian and Coloradan bills set out civil fines of $2,500 for unintentional breaches and $7,500 for intentional breaches, but how would the majority of breaches be discovered in the first place?”

Another criticism asks why California does not specify what level or extent of age verification it requires. If it’s just a date of birth, Spaleta says, “a simple dropdown interface may suffice,” meaning “the effectiveness of such a system appears to be based on an honour system.” Self-declaration at the root negates the entire process; this would-be age verification law, in fact, does not mandate age verification at all. Technically, it’s not even age assurance.

California’s law is less than a year away from taking effect, and Colorado’s bill (which more properly labels its goal “age attestation”), if passed, would take effect January 1, 2028. Ironically, the piece ends up lamenting the speed at which new technology is becoming normalized: the laws, it says, are “coming at a time when age verification is being rolled out more widely across the globe and facing stern criticism, such as an open letter from scientists and researchers that notes the many pitfalls of ill-thought-out verification methods.”

The letter in question has provided a common reference for those opposed to age assurance laws and technologies for various reasons. The open source community now joins social media tycoons, privacy advocates and pornographers in opposing such laws, which they say are invasive and dangerous – but which lawmakers insist parents are asking for, as they work to find the right legal model.

DHS quietly built pathway to track Americans through advertising data economy

DHS quietly built pathway to track Americans through advertising data economy

DHS quietly built pathway to track Americans through advertising data economy
For years, the Department of Homeland Security (DHS) quietly experimented with turning the digital advertising ecosystem into a surveillance tool.

Internal privacy records show that Customs and Border Protection (CBP) tested whether smartphone advertising identifiers collected by mobile apps and sold through data brokers could be used to reconstruct the movements of individuals across the U.S.

At the same time, other DHS components were purchasing similar datasets for investigative use, often without completing required privacy reviews or establishing clear policies governing how the information could be accessed.

Now, those efforts are drawing renewed scrutiny on Capitol Hill.

A coalition of lawmakers led by Senator Ron Wyden is urging the DHS Inspector General (IG) to investigate whether Immigration and Customs Enforcement (ICE) has resumed buying Americans’ cellphone location data from commercial vendors, potentially reviving a controversial surveillance practice the inspector general previously concluded violated federal law.

The congressional inquiry arrives as ICE surveys the private sector for new tools capable of harvesting and analyzing location signals generated by the digital advertising marketplace, a data pipeline capable of mapping the movements of millions of devices in near real time.

Together, the records suggest that DHS’s interest in commercial location intelligence is not a new development. It is the continuation of a strategy that has been quietly developing inside the department for years.

Documents reviewed in connection with the inquiry illustrate how that strategy has evolved inside DHS. One record, a Privacy Threshold Analysis (PIA) obtained by 404 media, describes an early pilot effort inside CBP that examined whether smartphone advertising identifiers, commonly known as AdIDs, could serve as a reliable investigative signal.

Another document reflects the mounting congressional concern that DHS components may still be purchasing commercial location data despite earlier oversight findings that identified legal and policy violations.

Taken together, the materials reveal a through-line connecting early experimentation with advertising identifier data, a major inspector general audit of DHS surveillance practices, and the current controversy surrounding ICE’s interest in new commercial location intelligence tools.

The PIA was for what CBP described as an AdID Efficacy Pilot. Privacy threshold analyses are preliminary reviews conducted within DHS to determine whether a proposed system or project requires a more detailed Privacy Impact Assessment (PIA) under federal law and departmental policy.

In this case, the document evaluated whether the proposed pilot involved privacy sensitive information and whether additional safeguards would be required before operational use.

The project focused on advertising identifier data generated by smartphones and mobile applications. Advertising identifiers are unique device level codes assigned by mobile operating systems and used by advertising networks to track user behavior across apps and websites.

Because the identifiers persist across sessions, they allow marketers to measure consumer activity over time. But the same characteristics that make AdIDs useful for targeted advertising also make them attractive for investigative analysis.

According to the privacy documentation, the pilot relied on commercially available datasets compiled from mobile applications that collect location signals through embedded software development kits.

These signals flow into advertising exchanges when mobile ads are served, where location data tied to a device identifier can be captured and aggregated by data brokers.

Commercial vendors then package that information into analytical platforms that allow users to query device movements over time.

The CBP pilot was designed to test whether those platforms could support border security investigations by revealing travel patterns associated with specific devices.

Analysts could examine location histories, identify devices that appeared together at particular locations, and reconstruct patterns of movement over extended periods.

Rather than functioning as a real time tracking tool, the system was intended to support retrospective analysis. By querying historical datasets, investigators could attempt to identify devices that had previously crossed certain locations or traveled alongside other devices of interest.

The privacy analysis also indicates that the system could access historical location data extending back several years, and that analysts could query data in ninety-day increments.

While the document emphasizes that the data originated in the commercial advertising ecosystem rather than from telecommunications providers, it also acknowledges the privacy sensitivity of the information.

Movement patterns derived from location data can reveal highly personal details about individuals, including where they live, work, worship, or seek medical care.

“Location data is extremely sensitive … It is for that reason that ordinarily, the government must obtain a warrant from a judge in order to demand such data from phone or technology companies,” the lawmakers’ letter states.

For that reason, DHS privacy officials concluded that the system qualified as a privacy sensitive program and would require a full PIA before broader operational deployment.

The document also noted that the pilot was connected to the DHS Intelligence Records System, a system of records that governs certain categories of intelligence information collected by CBP.

The internal pilot was not the only example of DHS components exploring commercial location intelligence.

In 2023, the DHS Inspector General performed a major audit examining how several DHS agencies had acquired and used what the report described as commercial telemetry data.

That category includes smartphone location histories derived from advertising identifiers and other commercial data sources.

The audit found that CBP, ICE, and the U.S. Secret Service had all obtained or used commercial location data without fully complying with federal privacy laws or departmental policy requirements.

Investigators determined that the agencies had procured or used the data without completing required PIAs in advance, a step mandated by the E-Government Act of 2002 when federal agencies deploy systems that collect or process personally identifiable information.

The review concluded that weak internal controls and insufficient oversight by the DHS Privacy Office allowed these acquisitions to proceed without the required safeguards.

The inspector general also found that DHS lacked a department-wide policy governing how commercial telemetry data could be purchased or used across components.

Without a consistent framework, different agencies were left to develop their own ad hoc rules for accessing and analyzing the data, the IG found.

The IG recommended that DHS develop a comprehensive department wide policy governing commercial telemetry data and strengthen controls to ensure privacy assessments are completed before such technologies are deployed.

The audit also raised concerns about how the data was being accessed internally. Investigators found examples of employees sharing database login credentials and supervisors failing to review audit logs that could reveal potential misuse. In at least one case, an employee used the data to track coworkers.

Those findings now form the backdrop to the new congressional request for investigation.

In the letter Wyden and fellow lawmakers sent Tuesday to the inspector general, they said contracting records and public reporting indicate ICE may have resumed purchasing Americans’ location data from commercial vendors even though DHS has not fully implemented the oversight reforms recommended in the earlier audit.

The lawmakers also pointed to a 2025 procurement involving the investigative analytics firm PenLink. According to the letter, ICE issued a no bid contract that included licenses for a location intelligence platform known as Webloc.

Webloc was developed by the data analytics company Cobwebs Technologies, which merged with Nebraska-based PenLink as part of a private equity acquisition valued at roughly $200 million.

An Israeli startup, Cobwebs had previously drawn controversy in the technology sector after Meta in December 2021 banned the company from its platforms during a crackdown on surveillance mercenary firms that were accused of targeting activists, journalists, and political figures.

The lawmakers’ letter states that ICE cancelled a scheduled February 10 congressional briefing about the contract at the last minute and has not provided further information about the purchase.

“ICE cancelled it with no explanation and without any offer to reschedule,” the letter states.

PenLink is not a new presence in federal law enforcement technology procurement. The company has spent decades supplying communications analysis platforms used by investigators to process call records, digital evidence and intercepted communications obtained through lawful investigative authorities.

Federal agencies including the Federal Bureau of Investigation, Drug Enforcement Administration, and numerous state and local law enforcement organizations have purchased PenLink software for digital investigative work.

Federal procurement records show that contracts for PenLink investigative platforms extend back more than a decade across multiple government agencies.

Many of the individual purchases appear relatively modest, often involving software licenses or maintenance agreements valued in the tens or hundreds of thousands of dollars.

However, larger enterprise deployments and multi-year agreements have pushed some contracts into the multi-million-dollar range.

When these enterprise contracts are combined with the dozens of smaller purchase orders issued across federal law enforcement agencies, the cumulative federal investment in PenLink and related investigative analytics platforms likely reaches well into the tens of millions of dollars.

The company’s merger with Cobwebs expanded that technology ecosystem into the commercial data analytics market, including platforms capable of processing open source intelligence and location signals derived from commercial datasets.

That convergence between investigative analytics tools and commercial location intelligence platforms is precisely what has alarmed privacy advocates and members of Congress.

The DHS IG report made clear that the department has struggled to establish consistent rules governing how commercial location data can be used.

the IG determined that CBP, ICE, and the Secret Service “did not adhere to department privacy policies or develop sufficient policies before procuring and using commercial telemetry data.”

Even after the audit, the department still lacked a comprehensive DHS-wide policy governing the acquisition and use of commercial location intelligence.

The renewed congressional scrutiny suggests lawmakers believe those gaps remain unresolved.

If ICE ultimately moves forward with new contracts for advertising technology-based location intelligence, the capability first tested quietly in a CBP pilot program could become a routine investigative tool across DHS.

At that point, the central question for policymakers will not be whether the technology works. It will be whether the rules governing its use are strong enough to prevent the commercial data marketplace from becoming one of the most powerful surveillance infrastructures available to the federal government.