Here are my two cents on age verification as someone with a bit of
political experience. This is also my first message to one of
OpenBSD's mailing lists so hello!
OpenBSD's history shows it has previously resisted U.S. attempts at
software censorship thanks to its Canadian domicile. It includes
non-U.S.-developed cryptographic code that was not subject to U.S.
export restrictions on cryptography back in the day and being
registered in Canada further shielded it from U.S. laws.
I know it's really tempting sometimes to comply with such demands out
of the misguided notion that the hassle of noncompliance isn't worth
it, or that it's just a dialog box at account setup and nothing more.
This is exactly what the people pushing for these measures are
counting on.
So first of all: is it just a dialog box at account setup and nothing
more, or is it the precedent that governments can force open-source
developers to write their software a specific way and making certain
forms of software (i.e. operating systems without age attestation)
illegal to distribute? The best time to challenge a precedent is when
it's being set. Many people have mentioned the slippery slope from
this to future verification (as opposed to just attestation), and it
is important to note why they want to do this in a two-step process
instead of going straight there: by implementing the entire measure
straight, opponents of the law will be able to organize against it by
tapping into people's reaction to both the harmful precedent and the
actual action itself; by splitting it into two, initial momentum can
be built up only by citing the precedent and potential slippery slope
and then dismissed by making age attestation appear to be a
reasonable compromise between no restrictions at all and full age
verification—and then later on, once the precedent is set and that
public discussion is closed, the next step will only have to be
justified for the difference (the change from age attestation to age
verification), not for anything generally applicable to both
attestation and verification, and attempts to build momentum can be
demobilized by citing the fact that the new verification law is not
too significant of a change over what already happens. (I hope that
makes sense.)
The other thing is that software, and open-source software
especially, is a form of creative expression in much the same way art
is. Forcing a developer to include code they don't want to, and
something they may fundamentally disagree with, is a form of forced
expression; meanwhile, restricting a developer from distributing code
unless it meets a certain set of criteria (namely the inclusion of
age attestation or verification) is a restriction on their
expression. This is especially true in today's political context
where there are ever-increasing attempts to forcibly withhold
material from children if it goes against some sort of political
agenda that's being pushed, like the book bans on 2SLGBTIQA+ content
in parts of the United States designed to force queer kids to live in
isolation and remain in the closet, or preventing children from
learning about sex education. This works in tandem with "parenting"
techniques that encourage parents to cut off any form of peer or
other social support kids may have outside of the context of that
political agenda, where for instance the parent of a trans kid might
ban them from talking to any of their supportive friends and may even
send them to live in a "camp" where they'll be abused all day (we had
to pass a law against it back in 2022 in Canada). There are entire
ecosystems built around isolating children, stripping them of any
potential support networks and indoctrinating them into harmful
worldviews, and for these kids, the Internet can be the only lifeline
keeping them going. Forcing a developer to contribute to this, let's
be frank, obscene ecosystem is a significant impairment of their
rights (of course, not to mention the child's rights).
It should be pretty clear by the way that this applies to both age
attestation and age verification. Let's not miss the forest for the
trees; in trying to counter the actual attestation/verification part
of it, let's not forget that the core premise—that parents have the
right to fully control the information children are permitted to
access—is in and of detrimental to the idea of a free and democratic
society. This is also why I'm not particularly fond of arguments that
exclusively appeal to the "unintended" impacts of such attestation or
verification on adults, because while that's true, such arguments
often begin by accepting the core premise and only challenging the
implementation for its unintended effects. This problem cannot be
solved by negotiating a different strategy for preventing children
from accessing information the adults in charge don't want them to
access; it can only be solved by rejecting this entire notion that
that's something acceptable, least of all something we should all
contribute to and entertain, wholesale.
On top of that, community-run open-source operating systems including
some Linux distributions and OpenBSD are the one refuge people can
find from constant attacks on their digital freedoms left, right and
center. These attacks can come from big corporations or they can come
from governments. If users cannot be guaranteed protection from such
attacks even on open-source software and when these attacks come from
foreign adversarial states, what even is the point of community-run
open-source software? (And 'fork it, remove the code and compile your
own version' is not feasible; I do not expect every 12 year old in an
abusive household to be able to do that.)
And as a bonus point, let's take note of the fact that what
California and Colorado and all these other jurisdictions are
purporting is that for an operating operating system to be legally
compliant, it must be designed with the concept of user accounts tied
to natural identities. This is an architectural design choice that
politicians have absolutely zero business trying to make; it is akin
to demanding that all canvas paintings be drawn following the rules
of two-point perspective. This is our domain as software developers.
Politicians have no right to decide this for us.
I fully understand and empathize with Kevin's frustrations here.
OpenBSD is a Canadian organization. It should not even be a question
that the laws of a foreign country (let alone one that believes it is
entitled to invade and colonize Canada) ought to have absolutely zero
bearing on our conduct here. Being frightened over these obscene
fines an adversarial foreign state purports to impose is, to be
blunt, cowardice.
I also want to emphasize from the perspective of a consumer just how
demoralizing it is to see institutions founded around the principles
of liberty and open-source falling in line. It is one of the most
effective ways to kill any chance of there being an effective
political opposition against this agenda. If they won't stand up
against such tyranny, who even will?
If it were a random country in the Middle East claiming worldwide
authority to ban feminist content, we would rightfully mock it,
refuse to comply with its demands, and possibly even implement
affirmative measures to help users circumvent any technical barriers
they might attempt to place in their way (as Signal did when certain
countries tried banning it). Yet since it is the U.S., people just
somehow get the impression that that's simply not possible.
The reality is that it's a foreign country either way and physically
does not have the ability to enforce its laws abroad regardless of
what its laws might say. This is not a legal claim I'm making; it's
one of practicality. California can issue whatever fines it feels
like against OpenBSD, but without assets in the U.S., debts owing to,
or a mechanism to have these fine s reciprocally recognized
elsewhere, those fines would not be worth the paper they're written
on.
Open defiance of such proposals also sends a signal to the people
pushing for these measures that it won't be as simple as ramming
their agenda through their legislatures and that they'll actually
need to put in a fair bit of work to even have a chance at actually
having it complied with. Governments don't like when laws are openly
flouted, because it challenges the idea that they have inherent
authority beyond what they're given by the state's capacity to
enforce them. If a government knows that a law will openly not be
complied with, it will try not to pass that law in the first place
in order to preserve this facade that once something is law it
necessarily has to be complied with no matter what.
I'll close by saying that compliance with a frown is still compliance.
No comments:
Post a Comment