Colorado is pushing legislation that would require operating systems—including Linux—to provide age attestation APIs that tell every app how old you are. It's a massive technical and privacy overreach that could reshape how computers work.
The bill, SB26-051, sounds reasonable at first: protect kids online by making sure age-restricted apps know who they're talking to. But the implementation is bonkers.
Here's what it requires: every operating system must create an account setup interface requesting users' birth dates, generate an "age signal" indicating age brackets (under 13, 13-16, 16-18, 18+), and provide developers API access to query this signal. Apps would be required to check this signal before launching certain features.
Let me explain why this is technically unworkable and privacy-hostile.
First, the verification problem. The bill never actually specifies how age gets verified. It just requires account holders to "indicate" their age. No ID check, no validation, no verification mechanism at all. Anyone can lie. The entire system is built on the honor system.
So it won't achieve the stated goal of protecting kids—because kids will just lie about their age, like they do on every other platform.
Second, the privacy implications. This bill would bake age tracking into the operating system level. Every app on your computer could query how old you are. That data would exist in a standardized API that any developer could access.
Think about what that enables. Apps you've never heard of, random utilities, malware—anything running on your system could query your age bracket. And once that data exists in a standardized format, it becomes a target for data brokers, advertisers, and hackers.
Third, the Linux problem. Linux isn't controlled by a single company that can implement unified account systems. It's maintained by thousands of developers across hundreds of distributions. How exactly does Colorado plan to enforce this on open-source operating systems?
The answer is they haven't thought it through. Legislators are trying to solve online safety by fundamentally changing how operating systems function, without understanding the technical or privacy implications.
