I was reveling in the "get mad, get even" approach of Ageless Linux this morning
when a bit of AB 1043 caught my eye:
"User" means a child that is a primary user of a device.
And my long-dormant training in statutory interpretation said "that is a bad definition." Then it said "If this definition is that bad, how badly is the rest of the statute drafted?"
Answer: pretty badly, friends.
For the blissfully ignorant, AB 1043 is a California law requiring an "operating system provider" to collect age data for device users at account setup, then relay that information via API to any and all "developer[s]" and "covered application store[s]" anytime the device user seeks to download or access an app from them. The law provides for fines of $2,500 per child for negligent violations and $7,500 per child for willful ones.
Here's the full text of AB 1043
All the major OSes already comply; all the FLOSS/homebrewed ones can't. This is by design.
But this statute is so badly written that it's unenforceable. It's at risk of being void for vagueness. Just a few examples:
An "account holder" is *either* "at least 18 years of age" OR "a parent or legal guardian of a user who is under 18 years of age in the state." Props for recognizing the existence of teen parents, I guess?
I'm not sure what "in the state" is doing there. Are children routinely under 18 years old in California but over 18 elsewhere? Nevada must love that.
Seriously: it's impossible to tell here whether "in the state" is meant to modify "a user who is under 18 years of age" or "a parent or legal guardian." This is not the only example of this particular issue in the statute's language.
Account holders are not "users." A "user" is by definition a child under 18 "who is the primary user of device." (Yes, this means the definition of "account holder" includes a phrase with the meaning "a child under 18 who is the primary user of a device who is under 18 years of age." Don't think about it too hard; whoever wrote this surely didn't.)
First, defining a word by using the word is bad practice generally and bad practice in law. A user is a user, folks. Who knew?
Second - and the first thing to catch my eye this morning - is that this law defines "users" as children who are the *primary* person using a device. Which means one could get around this requirement by returning to the "family computer" model. My child is not the "primary" user of our home computer; they're an auxiliary user, at best. (This hack will become relevant in a moment.)
"But I'm a complete technoweenie!" you're probably not saying if you're reading this on Gemini (which is where you should be; my blog is beautiful in LaGrange). "How can I be a developer or an operating system provider?" With Statutory Overbroadness(TM), you can be anything!
Here's how AB 1043 defines those terms:
"Developer" means a person that owns, maintains, or controls an application.
"Operating system provider" means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
If you homebrew an application, you "own" it. If you push updates to it, you "maintain" it.
You ALSO "maintain" and "control" an application if you *install* updates to it, at least according to the plain meanings of those words. If this statute intends those words to be defined another way, I'd love to hear California's AG explain it.
Similarly, you license an OS when you buy a device, in most cases. Every Windows laptop, for instance, comes with a license to run the version of Windows on that machine. You also "control" the OS to the extent you can manage its settings, updates, and so on.
[Sidebar: Windows is pushing ever harder for a world where Windows resides in the cloud, giving Microsoft total control over it and your data. You may not even have access to settings and updates in five to ten years. Come back from 2036 and tell me how that went.]
Why does this matter? Because "developers" and "operating system providers" are the targets of liability under this statute! If you, say, Linux From Scratch a device that doesn't collect or send age info and give it to your kid as their personal computer, this statute gives the state of California grounds to come after you for up to $7,500. Per kid. God help you if you have a stable of them.
"Application" means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
This definition contains two problems we've already seen. First, it defines the word by using the word. Second, it's unclear whether "that can access a covered application store or download an application" modifies "a computer, a mobile device, or any other general purpose computing device" or "a software application that may be run or directed by a user."
If it's the second one, then an OS should be exempt from this law if it lacks the capability to access the Internet or to download files. Which implies one could homebrew Linux without age verification, hand the device to a child, and then upload applications to the device via a USB stick. (Note the statute does not mention uploading, only downloading.)
Also, I'd be curious to see a piece of software that cannot be "run or directed by" a child under 18 (remember, that's how we're defining "user"). Does the CAPTCHA require you to name the last time you were on the phone with Blockbuster Video? This has no practical application, making it yet another example of crappy drafting. If it doesn't need to be in the statute, leave it out; it's just muddying up the waters. This sort of ambiguity keeps lawyers in business, but it's often fatal to statutes.
AB 1043 requires an "operating system provider" (remember, that's you if you're downloading updates!) to require an "account holder" (that's you if you're at least 18 or are a parent) to provide the birthdate and/or age of a "user" (that's a child who is the device's primary user). Note it doesn't say anything about having to provide your own age/birthdate if YOU are the device's primary user. Nor does it seem to account for the fact that teen parents do in fact exist. Is a 16 year old parent a "user" or "account holder" or both? What responsibilities do they have if they're an account holder making their own account for themselves, a user? This law is badly written.
The "operating system provider" (remember, that's you) must also provide an API that sends that age information to "a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time" API.
"with respect to a particular user" is recursive because of the way the statute defines "user." Basically, the developer has to ask for information defining a "child" without knowing what a "child" is and whether they actually exist on the system.
I'm not a programmer, but I have to believe that this instruction, carried out literally, would return an error message in at least one situation. If I ask "hey, send me information about the user" but there is no "user" (as defined) in the system, shouldn't the API return "error: no user found"?
Remember, a "user" is a child under 18. If I'm 18+, and a developer asks "hey, send me info about the under-18," my computer should be like "there's no under-18 here." Right? Again, not a programmer, but this seems pretty basic to me.
But fear not: AB 1043 doesn't want you to run this statement literally! Even though statutes are supposed to be read literally, or as close to literally as possible! AB 1043 actually requires developers to send two requests to an OS:
These do, at least, seem to fit together. If you're signaling "this user is under age 18," you can also break down how far under 18. (Though I maintain that 18+ should still throw an error message.) The problem is that neither of these is actually doable without violating COPPA. COPPA prohibits the sharing of minors' information online without parental consent. This includes information about whether the minor *is a minor.*
Also, it's creepy. Every app now has to be like "hey baby, u legal?" Come on.
AB 1043 is careful to note two situations in which AB 1043 does not apply:
The second one is probably intended to prevent liability when, say, a 13 year old uses Dad's laptop to look at porn. Except it doesn't. "Who is not the USER to whom the signal pertains" is key here. Dad isn't a "user," by definition. He is an "account holder." So this would really only kick in when Junior borrows Big Sister's laptop...except she's 17, and the API should therefore also stop her from seeing the porn app?
As drafted, this exception really only applies when apps are available to teens only, or to ages 16+, and an eight year old accesses them on big sister's device or something. It's such a weirdly narrow slice of situations to address. It may be intended to cover adults, but it doesn't (adults, once again, ARE NOT USERS). AB 1043 leaves liability open for OSes and app developers when a kid swipes an adult's device! How comforting!
Of course, as the Ageless Linux website points out, kids are smarter than all this. They'll just sign up with a fake birthdate. Only the kids whose parents hover over them at account creation are likely to have their real birthdates added - and maybe not even then. If I had kids, they'd all share a birthday with Taylor Swift for the purposes of a Windows login. It's not Windows' damn business whether they *are* kids, let alone how old they are.
[ETA: AB 1043 only kindasorta shields OS providers and app developers from liability if a parent lies about a chlid's birthdate at account signup. Developers aren't allowed to ignore "clear and convincing" signals a user is actually under 18. The law doesn't define these - maybe they include incessant streaming of Blue's Clues? Which, to be honest, also seems problematic. Should an app store be in the business of judging people's taste in apps? Makes me wonder how many elementary school teachers will get pinged as "actually under 18" for downloading a bunch of kid-focused apps to test for classroom use.]
We are teaching kids that laws are there to be skirted. As if the US isn't already having a Constitutional crisis. But then, no one who butchers statutory drafting this badly has much respect for law to begin with.
--