Age assurance laws and open source: what maintainers need to know

Key Concepts

• Age Assurance: An umbrella term for methods used to verify or estimate a user's age.
  • Age Verification: High-confidence methods (e.g., government-issued photo ID, financial institution checks).
  • Age Estimation: Using signals or biometric scanning to guess a user's age.
  • Age Attestation: Low-confidence self-reporting (e.g., "I am over 18" checkboxes).
• Open Source Definition (OSD): A set of principles maintained by the Open Source Initiative (OSI) that defines the "four freedoms" of software.
• Developer vs. Deployer: The critical distinction in policy; the developer creates the code, while the deployer (e.g., a platform or website) hosts and serves it to end-users.
• Chilling Effect: The phenomenon where legal ambiguity or fear of liability causes developers to restrict access to their software or abandon projects to avoid potential criminal or civil penalties.
• Open Policy Alliance (OPA): A coalition of nonprofit open source organizations that coordinates policy engagement and education for the community.

---

1. The Challenge of Age Assurance Legislation

The discussion centers on the rise of legislative proposals in the US, Brazil, and Europe aimed at protecting children online. While the intent is to prevent exposure to harmful content, the legislative language often uses broad definitions of "applications" and "app stores." This creates a risk where open source infrastructure—such as operating systems (e.g., FreeBSD) or package managers (e.g., F-Droid)—could be inadvertently swept into the scope of these laws.

2. Technical and Structural Misalignments

The panelists highlighted that many lawmakers assume a centralized, proprietary model (like Apple or Google) where a single entity controls user accounts, monetization, and software distribution.

• Decentralization: Open source projects are often distributed, mirrored, and modified by third parties. The original developers have no "downstream control" over how the software is deployed or who uses it.
• Licensing Constraints: Open source licenses are designed to permit free sharing and modification. Developers cannot revoke these licenses if a downstream user fails to comply with a specific government regulation, creating a conflict between legal mandates and the nature of open source.

3. Risks and Chilling Effects

• Liability: The primary concern is the potential for civil or criminal penalties. Even if a project is technically exempt, the cost of legal defense is prohibitive for volunteer-led or small nonprofit projects.
• Access Restriction: To avoid legal risk, projects might resort to "over-correction," such as geoblocking certain regions or restricting access to their software, which undermines the global, collaborative nature of open source.

4. Advocacy and Engagement Framework

The panelists emphasized that the open source community has agency and can influence policy through education rather than just reactive lobbying.

• Educational Approach: Instead of framing regulation as "bad," the community should act as "thought partners" to help lawmakers understand the technical reality of software development.
• Surgical Amendments: By engaging early, the community can help draft "surgical" language that exempts open source infrastructure while still addressing the lawmaker's goal of child safety.
• Case Study (Colorado): The community successfully engaged with legislators in Colorado, resulting in significant improvements to the language of an age assurance bill, proving that developer input is highly effective when provided during the drafting phase.

5. Notable Quotes

• Katie Seen James (OSI): "An open source license means that you don't have control of downstream users... you cannot revoke the license if a downstream user of your code does something that they shouldn't."
• Anne Dickison (FreeBSD Foundation): "It's kind of like apples and oranges... there is not one company controlling the user account, the how the software's installed, the App Store itself."
• Margaret Tucker (GitHub): "Developers are the experts on developer policy."

6. Synthesis and Conclusion

The main takeaway is that while the goal of protecting children online is universally supported, current legislative trends threaten the open source ecosystem due to a lack of technical understanding by policymakers. The community must move toward greater coordination—modeled after the successful European engagement on the Cyber Resilience Act—to ensure that regulations target the "deployer" level and specific harmful features rather than the underlying software code. Developers are encouraged to join coalitions like the Open Policy Alliance and engage directly with their representatives to provide the technical expertise necessary for sound, effective policy design.