An Opinion on Colorado SB 26-051, California AB 1043, and New York SB S8102A
Introduction
Colorado, California, and New York have all introduced or passed legislation requiring operating systems to report age brackets to app stores and websites, and in New York’s case, mandating that adults verify their identity through state-approved methods just to use an internet-connected device. The stated goal is protecting children online. The actual effect is building surveillance infrastructure and calling it safety.
I work in cybersecurity and IT for a public sector organization. I run Pop!_OS on two machines at home and Fedora on a third. When Canonical and Elementary OS announced they were looking at implementing age verification via a D-Bus interface, I had already started working on freezing my OS images and either writing or adopting tooling to spoof whatever verification response the system would expect. Not because I have anything to hide. Because I own my hardware and the state does not get to conscript it into a surveillance apparatus.
System76 CEO Carl Richell put it well in his March 2026 commentary: the practical effect of these laws is not protection, it is surveillance infrastructure dressed up in the language of child welfare. That is not a fringe reading. It is what the technical architecture of these laws actually produces. History is consistent on this point. You do not eliminate behavior by restricting the safest channels for it. You funnel people into less accountable, less visible, more dangerous spaces and call it a win.
The answer, the same answer it always is, is better education and open communication. These laws fail that test. They also fail the constitutional one, and badly.
I. Compelled Speech
The most immediate constitutional problem is compelled speech, and it is about as clean a case as you are going to find.
In West Virginia State Board of Education v. Barnette, 319 U.S. 624 (1943), the Supreme Court established that no official can prescribe what shall be orthodox or force citizens to affirm things they do not wish to affirm. Wooley v. Maynard, 430 U.S. 705 (1977), struck down a New Hampshire law requiring citizens to display the state motto on their license plates. If the government cannot compel you to display a motto on a car, it cannot compel a software developer to transmit age classification signals through operating system infrastructure.
California and Colorado require operating systems to report age brackets to app stores and websites. That is compelling speech. The OS vendor, the Linux distributor, the individual developer has no choice, no editorial discretion, no opt-out. They are conscripted into making affirmative representations on behalf of a government regulatory regime, to third parties, through software they built.
New York goes further. By mandating third-party identity verification and explicitly forbidding self-reporting, it compels every party in the verification chain to participate in and affirm a government-mandated identity attestation system. The device manufacturer, the verification intermediary, the platform. All of them are being forced to speak.
“If there is any fixed star in our constitutional constellation, it is that no official, high or petty, can prescribe what shall be orthodox in politics, nationalism, religion, or other matters of opinion or force citizens to confess by word or act their faith therein.” — West Virginia State Board of Education v. Barnette, 319 U.S. 624 (1943)
Compelled speech claims require strict scrutiny. The government’s interest in child safety, however genuine, has not historically been sufficient to override the right not to speak. Hurley v. Irish-American Gay Group, 515 U.S. 557 (1995), and Janus v. AFSCME, 585 U.S. 878 (2018), both reaffirmed that protection. These laws fail at the threshold.
I have watched this dynamic in my professional environment. When an organization is told it must report certain things through certain channels, the people who understand the technical architecture immediately understand what is being built and what it enables downstream. The legislators drafting these bills often do not. The governments that eventually inherit and exploit the infrastructure will.
II. Anonymous Speech, Access to Information, and What Actually Protects Children
I am a millennial. I grew up on the actual wild west internet, before guardrails, before platform consolidation, before anyone had seriously thought about content moderation at scale. I saw both sides of it. The communities, the technical rabbit holes that became a career, and the genuinely dark spaces that existed alongside all of that. What made the difference was not what I was blocked from. It was what I had context for.
My parents engaged directly with what I was consuming. I was reading Stephen King at ten or eleven. They did not hide it or panic. They talked to me about it. When I was twelve I was playing God of War. Same approach: here is what this is, here is the context, here is how to think about it. None of that harmed me.
What did cause real harm was the opposite model. I grew up around Catholic purity doctrine, which is the restriction-and-shame framework taken to its logical conclusion. The things that framework refused to name, refused to explain, refused to treat as real and discussable, those were the things I eventually found on my own, without context, without anyone to process it with. The silence did not protect me from any of it. It just guaranteed I encountered it alone.
That is not a coincidence. It is the consistent finding across every domain where restriction has been tested against education. Drug policy. Sexual health. Online safety. You do not eliminate exposure by making access harder. You eliminate the guidance that makes exposure navigable. A teenager who hits a wall and gets no explanation does not stop being curious. They find another route. The question is whether an adult is any part of that journey or not.
You do not eliminate exposure by making access harder. You eliminate the guidance that makes exposure navigable.
The First Amendment has understood this logic, at least implicitly, for a long time. Talley v. California, 362 U.S. 60 (1960), and McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995), established that anonymous access to information is constitutionally protected because the ability to read, explore, and form opinions without state observation is foundational to how people actually develop judgment. Reno v. ACLU, 521 U.S. 844 (1997), applied that reasoning directly to the internet. These laws invert it entirely. They make identity disclosure the price of entry to a general-purpose computing device.
I keep my personal and professional digital lives separated. Not because I have something to hide in either one, but because that separation is autonomy. Being able to exist in different contexts without every context feeding into one surveilled profile is worth protecting. These laws eliminate it for everyone. The abuse survivor researching options. The person with a medical question they cannot ask at home. The teenager who needs information their parents have decided not to provide. All of them lose that space. That is not a side effect. It is the mechanism.
III. The Fourth Amendment: This Is How You Build a Surveillance Apparatus
The Fourth Amendment problems are the most structurally serious because they are not just about what these laws do today. They are about what they make possible permanently.
As someone who does security architecture and threat modeling professionally, I want to be direct about this: once surveillance infrastructure exists, it gets used for purposes far beyond its stated rationale. That is not cynicism. That is how surveillance infrastructure has functioned in every historical context where it has been built.
In Carpenter v. United States, 585 U.S. 296 (2018), Chief Justice Roberts held that the government cannot access cell-site location information without a warrant. The reasoning mattered as much as the holding: Roberts recognized that applying 20th-century legal frameworks to digital data produces results that are both absurd and dangerous. The third-party doctrine cannot survive in a world where your phone generates a comprehensive record of your life continuously and unavoidably.
I watched a version of this dynamic play out recently with an administration attempting to compel an AI company to strip privacy guardrails protecting Americans from warrantless surveillance. The company’s stated limits were straightforward: no mass domestic surveillance, no fully autonomous lethal weapons. Those positions would likely command broad bipartisan public support if put to a vote. They were framed as ideological overreach. They were not. They were a product manufacturer saying their product is not rated for this use, and the government reached for national security designations historically reserved for foreign adversaries in response.
These age verification laws hand that same class of government actor a comprehensive surveillance apparatus over all digital device usage, built by mandate into private infrastructure. A law requiring verified identity to operate any internet-connected device does not just create a record of your location. It creates a government-mandated record of every app used, every site visited, every document accessed, all tied to a verified legal identity. Riley v. California, 573 U.S. 373 (2014), unanimously held that police cannot search a cell phone without a warrant because a smartphone is not just another container, it is the privacies of life in portable form. Identity-linked device usage data reveals everything that cell-site data only hints at.
You cannot build a system that ties verified identity to all device usage without building a surveillance apparatus. That is not a drafting error. It is what the requirement produces by definition.
New York’s bill is the worst of them on this dimension. By mandating third-party verification by methods determined by the Attorney General and explicitly forbidding self-reporting, it outsources the surveillance infrastructure to private entities operating under government mandate while the state retains regulatory authority over what verification methods are acceptable. That structure is exactly what the Fourth Amendment exists to prevent.
IV. The Fifth Amendment: Self-Incrimination by Default
Most commentary on these laws stops at the First and Fourth Amendments. The Fifth Amendment problem is underappreciated and potentially just as severe.
In Fisher v. United States, 425 U.S. 391 (1976), the Court developed the act-of-production doctrine: the act of producing documents can itself be testimonial and therefore protected. Laws mandating identity-linked device usage create this problem at industrial scale. By requiring a verified identity attached to all device usage, these laws mandate the continuous creation of a comprehensive self-incriminating record.
The attorney-client privilege problem is the clearest example. Attorney-client privilege exists to ensure people can consult legal counsel without those communications being used against them. The moment verified identity is tied to all device usage, every communication with an attorney through a digital device has a state-mandated surveillance layer beneath it. The privilege is not broken directly. It is made structurally indefensible by the infrastructure the law requires.
The same applies to doctor-patient communications, communications with clergy, and every other relationship the law has decided deserves privilege. Those protections exist because the state has acknowledged that certain communications are so fundamental to human dignity and to the proper functioning of society that they must be shielded from state intrusion. Laws mandating comprehensive identity-linked surveillance of all digital activity undermine all of them simultaneously.
New York’s bill, by forbidding self-reporting and requiring third-party verification, ensures the identity linkage is not theoretical. It is operational, verified by an independent party, logged by mandate, and available through regulatory process to the Attorney General. The self-incriminating record is built into the architecture of the law from day one.
V. Regulatory Capture Disguised as Child Safety
Beyond the individual rights violations, these laws have a structural consequence that deserves its own attention: they effectively eliminate the open source computing ecosystem while entrenching platform monopolies through regulatory mandate.
Consider what compliance actually requires. Apple, Microsoft, and Google have legal departments, compliance infrastructure, and engineering resources to implement age signaling systems, integrate with Attorney General-approved verification services, and navigate evolving requirements as they change. A Linux distribution maintained by volunteers does not. A nonprofit foundation running on grant funding does not. An individual developer does not.
I know this from direct experience. I have built security infrastructure largely solo for a 150-person public sector organization, navigating compliance requirements that assume resources and staffing that simply do not exist at that scale. The compliance burden of these laws falls with crushing asymmetry on exactly the entities that represent the most important alternatives to the large platforms.
The practical result is a tiered speech regime. Large corporate platforms survive because they can comply. Individual developers, small teams, open source contributors, and nonprofits get effectively prohibited from distributing software to consumers in these jurisdictions, not by explicit ban, but by compliance cost that is impossible to absorb. When a law’s practical effect is to eliminate entire categories of speakers while leaving only the most well-resourced standing, that is a First Amendment problem independent of every other argument here.
As Richell noted, New York’s bill is so carelessly drafted that downloading a Linux distribution from the internet could technically make the downloader the “device manufacturer” responsible for compliance. That is not a minor drafting error. It illustrates the fundamental incompatibility between legislation designed for the iOS and Android ecosystems and the reality of open computing, where anyone can install, modify, and distribute an operating system.
Microsoft, Google, and Apple were always going to be ready to implement this. They were functionally doing it already. The practical effect of these laws is to use child safety regulation as the mechanism to complete platform consolidation that antitrust law is supposed to prevent. The state becomes a cartel enforcer. The open source ecosystem is the collateral damage.
VI. It Does Not Even Work, and It Makes Children Less Safe
Setting aside the constitutional problems: these laws fail on their own terms. As a security professional I want to be precise about the nature of that failure. They do not reduce the harm they claim to target. They relocate it, strip away protective context, and create a new and largely undiscussed threat that may prove more dangerous to children than anything they purport to address.
Colorado’s and California’s bills contain no actual age verification. Users attest to their age. They can lie. Children are entirely capable of lying about their age, and these laws, by degrading the experience for anyone who does not lie, actively incentivize dishonesty. Australian social media age verification requirements have already produced documented instances of teenagers distorting their faces to fool age-verification algorithms. Many have been writing tooling to spoof a D-Bus age verification interface before the specification is even finalized. If a hobbyist can build countermeasures before the spec is done, it is not going to stop anyone with motivation.
The funneling effect is the consistent lesson of harm reduction across every domain. You do not eliminate exposure by restricting the safest channels for it. You push it into less accountable, less visible spaces. Growing up on the early internet, I saw both sides of this directly. The difference between encountering something difficult with context and encountering it without context is enormous. These laws systematically eliminate the context.
But the threat that gets almost no attention in legislative debate is the adversarial data breach risk that centralizing verified identity databases creates specifically for children.
These laws require creating and maintaining databases that link verified real-world identities to device usage, age brackets, and potentially biometric data. From a security architecture standpoint, this is a catastrophically attractive target. The OPM breach. The Equifax breach. The National Public Data breach exposing nearly three billion records. We already know these databases get breached. The question is not whether a database linking children’s verified identities to their device usage and online behavior will be breached. The question is when, and what adversaries do with it.
A database linking children’s verified identities to their online behavior does not protect them. It hands anyone who breaches it the most precise child-targeting system ever built.
Malicious actors, criminal networks, foreign adversaries, domestic bad actors, could use that database to identify, locate, profile, and target children with a specificity and efficiency that is currently impossible. The surveillance infrastructure these laws create in the name of child protection could become the most effective tool for child exploitation ever assembled. The legislators drafting these bills have not, as far as the public record shows, seriously engaged with this risk. They have treated centralized identity-linked surveillance as a costless tool without reckoning with what happens when someone else gets access to it.
The wild west internet of my childhood was genuinely dangerous in places. But it was dangerous in ways that were distributed and difficult to scale into systematic targeting. The infrastructure these laws propose is dangerous in the opposite way: centralized, comprehensive, and extraordinarily scalable for anyone who gains access. Trading distributed navigable risk for concentrated catastrophic risk is not protection. It is a failure of risk analysis.
VII. What the Courts Are Likely to Do
These laws are highly vulnerable to challenge and the current judicial landscape makes that worse for their defenders, not better.
The Roberts Court has been notably sophisticated on digital rights. Carpenter showed willingness to depart from established doctrine when it produces results incompatible with digital reality. Riley was unanimous. The Court’s signals on encryption and surveillance mandates have been consistently cautious. Justice Gorsuch brings principled and structurally rigorous skepticism of regulatory expansion into new domains, and his Fourth Amendment record is hard to square with siding with laws that mandate precisely the surveillance infrastructure Carpenter was concerned about. Justices Kagan, Sotomayor, and Jackson have been consistent and forceful on digital privacy and speech.
Realistically you could see 7-2, 8-1, or even 9-0 on the most egregious provisions. The compelled speech and surveillance infrastructure arguments draw votes from justices whose stated judicial philosophies cut directly against these laws regardless of political affiliation. Thomas and Alito, whatever their other tendencies, have genuine skepticism of expansive administrative authority, and New York’s bill hands enormous regulatory discretion to an Attorney General. That is exactly the kind of executive overreach they have historically opposed.
The EFF, ACLU, and NetChoice will be among the first challengers. The Linux Foundation, Apache, FSF, and similar organizations will bring technical expertise as amici that courts have shown receptiveness to when navigating unfamiliar technical terrain. Preliminary injunctions are a realistic near-term outcome for California and Colorado. First Amendment doctrine presumes that ongoing constitutional violations constitute irreparable harm, which lowers the injunction threshold considerably.
New York, if enacted, is the most likely vehicle for a definitive Supreme Court ruling. Its scope is broad enough and its constitutional problems numerous enough that it presents the cleanest vehicle for an opinion that settles this area of law comprehensively. The convergence of compelled speech, surveillance infrastructure, Fifth Amendment privilege, and the structural elimination of open computing is the kind of multi-ground challenge that produces landmark opinions.
What that opinion should say, plainly: compelling individuals to provide state identification or biometric authorization to access any computing device or digital information is among the clearest examples of compelled speech in recent decades. It creates the architecture for state-controlled information flow and the capacity to censor information or target anyone exercising their First Amendment rights. An individual platform may decide under its own purview to require identification for content it deems adult. The state may not mandate the same for usage of all internet-connected devices, because doing so builds the on-ramp to state surveillance in violation of the First and Fourth Amendments. And it can be reasonably extrapolated that this level of compelled speech and surveillance implicates the Fifth Amendment where a user tied to all their device usage communicates with an attorney, breaking privilege and compelling self-incrimination by default.
That is the right opinion. It would be a landmark. It is what these laws deserve.
Conclusion: Education, Not Surveillance
The core error in these laws is assuming safety can be legislated through restriction. Every domain where we have tested that assumption has returned the same result: restriction without education produces worse outcomes than honest engagement with complexity.
The most technically capable individuals will circumvent these laws before the ink is dry. I know this because I am already doing it, not from any malicious purpose but from the straightforward position that I own my hardware and the state does not have the right to mandate what it reports. The question is whether technically curious young people do this with or without adults who have engaged honestly with what the digital world contains. My own experience makes the answer to that question obvious.
What these laws actually build is surveillance infrastructure, the elimination of the open computing ecosystem, the entrenchment of platform monopolies, and the violation of the First, Fourth, and Fifth Amendment rights of every American who uses an internet-connected device. That is an extraordinary price to pay for a child protection benefit that the laws’ own mechanisms make illusory.
The Constitution is not a procedural inconvenience to well-intentioned legislation. It exists precisely to protect people from the state’s exercise of power beyond its rightful limits. These laws exceed those limits clearly enough that they should not survive their first serious constitutional challenge. The courts should say so plainly, broadly, and for the record.
“The challenges we face are neither technical nor legal. The only solution is to educate our children about life with digital abundance.” — Carl Richell, CEO, System76 (March 2026)
He is right. Until that lesson lands with the legislatures drafting these bills, the courts are the last line of defense for the open computing ecosystem and for the fundamental digital rights of everyone who uses it.
Key Cases Referenced
- West Virginia State Board of Education v. Barnette, 319 U.S. 624 (1943) — Compelled speech; government cannot compel ideological affirmation
- Wooley v. Maynard, 430 U.S. 705 (1977) — Right not to speak; cannot compel display of state motto
- Talley v. California, 362 U.S. 60 (1960) — Anonymous speech protected by First Amendment
- McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995) — Constitutional protection for anonymous political speech
- Reno v. ACLU, 521 U.S. 844 (1997) — Internet speech receives highest First Amendment protection
- Katz v. United States, 389 U.S. 347 (1967) — Fourth Amendment protects reasonable expectations of privacy
- Riley v. California, 573 U.S. 373 (2014) — Warrant required to search cell phone; digital data demands heightened protection
- Carpenter v. United States, 585 U.S. 296 (2018) — Warrant required for cell-site location data; third-party doctrine cannot survive digital reality
- Fisher v. United States, 425 U.S. 391 (1976) — Act of production doctrine; compelled production can be testimonial
- Hurley v. Irish-American Gay Group, 515 U.S. 557 (1995) — Private entities cannot be compelled to carry others’ messages
- Janus v. AFSCME, 585 U.S. 878 (2018) — Compelled speech; near-categorical First Amendment protection