Age assurance laws and open source: what maintainers need to know

Introduction to Age Assurance and Open Source Implications

• The discussion focuses on age assurance proposals being introduced in various regions, including the US, Brazil, and Europe, and their implications for open source and developers. The aim is to provide a developer-first policy discussion, highlighting what maintainers need to know about these proposals and opportunities for advocacy and improvement in open source 42s.
• Katie Seen James, the senior US policy manager for the Open Source Initiative (OSI), explains that OSI is a nonprofit organization established in the late 1990s to oversee the open source definition and approve licenses that meet this definition. OSI has also applied the open source definition to AI, releasing an open source AI definition in October 2024 2m6s.
• Anne Dickison, the deputy director at the FreeBSD Foundation, describes the foundation as a nonprofit supporting the FreeBSD project through infrastructure support, software development, advocacy, and education. The FreeBSD project operates independently with its own leadership and decision-making processes 3m42s.
• Age assurance is described as an umbrella term that includes various methods such as age verification, age estimation, and age attestation. Age verification involves highly effective methods like using photo ID, while age estimation uses signals like biometric scanning. Age attestation is a less reliable method where users simply input their age, similar to early social media practices 5m42s.

Overview of Age Assurance and Legislative Tradeoffs

• Age assurance laws and proposals involve tradeoffs between privacy, cybersecurity, and freedom of information, and it is essential to examine the legislative text to understand what they propose, particularly for people who care about children's safety online and those who use the internet 10s.
• The discussion around age assurance laws is crucial for the open source community, especially since some proposals are moving down the tech stack into operating systems, applications, and browsers, which raises questions for developers, such as those working on open source operating systems like FreeBSD 2m6s.
• The UK Online Safety Act has required highly effective age assurance for adult content websites, and other countries like Australia have passed social media minimum age laws, which may not directly impact platforms like GitHub but still affect the broader online ecosystem 4m6s.

Impact of Age Assurance on Open Source Projects

• Open source developers are more technically informed about the definitions and implications of age assurance laws, making their input essential in aligning regulatory intent with technical reality, especially when defining what an application or app store is 6m6s.
• The Open Source Initiative (OSI) and its coalition, the Open Policy Alliance, which includes members like the FreeBSD Foundation, have been tracking age assurance laws and proposals, and they rely on partners to stay informed about the various policies emerging at the state level in the United States 8m6s.
• The age assurance laws became an open source issue when organizations like the OSI and its members, such as the FreeBSD Foundation, started receiving questions and concerns from their communities about the potential impact of these laws on open source projects and the need for guidance on how to navigate these regulations 10m6s.

Community Concerns and Legislative Uncertainty

• There is a growing concern in the open source community about how age assurance laws will impact various projects, with questions arising about the necessity and implementation of these laws. The Open Source Initiative (OSI) has started tracking these developments due to their potential widespread effects on open source projects. 10s
• Community members from regions like Brazil, California, and Colorado have raised questions about the impact of these laws on projects such as FreeBSD, prompting discussions among developers to understand the implications. The legislation's text is often unclear, leading to uncertainty about compliance and implementation. 42s
• Discussions about developer policies related to these laws are frequently occurring on platforms like Reddit and Hacker News, but there is a need for better communication channels to understand developer concerns. FreeBSD, as an operating system, faces uncertainty about how its ports and packages system might be classified under these laws, especially given the varying regulations across different states and countries. 2m6s

Privacy, Security, and Liability in Open Source Projects

• Privacy and security concerns are significant, as operating systems typically do not retain user information, adding to the uncertainty within the community. The potential liability for volunteers leading small projects is also a concern. 3m0s
• Broad definitions in the legislation, such as those for "application" and "app store," pose risks of inadvertently including open source infrastructure within the scope of the law. Projects like F-Droid, which provide access to repositories of free and open source applications, face questions about how these laws might affect them. 4m0s
• The challenge lies in the diverse nature of open source projects, which do not conform to a one-size-fits-all approach, making it difficult to determine the full impact of these laws on different projects and systems. 5m0s

Challenges in Defining Open Source in Legislation

• Understanding legislative texts and determining their applicability to various open source projects is challenging, with potential impacts that are not yet fully known. F-Droid is highlighted as a significant example of being included in a broad definition of application or app store, which could affect smaller projects unable to handle legal implications 10s.
• Many laws assume centralized providers like Google or Apple App Stores, which have user accounts and control over software usage. This assumption does not align with open source operating systems, which lack centralized control and allow for software to be downloaded, modified, and redistributed without the project's knowledge of the users or their actions 2m6s.
• Lawmakers often misunderstand the distinction between deployers and developers in open source software, as they are not always the same entity, unlike in traditional software development. Educating policymakers about this distinction is crucial, especially in contexts like the European Union's Cyber Resilience Act 4m6s.

Misunderstandings in Policy Regarding Open Source

• There is a general lack of understanding among policymakers about how open source licenses work, particularly the lack of control over downstream users. This misunderstanding extends beyond age assurance policies and is relevant in discussions about regulating AI 5m6s.
• An open source license, once applied to code, cannot be revoked even if a downstream user misuses the code or acts unlawfully. This creates both legal and practical challenges in tracking the downstream use of the code. 10s
• There is a need for policy makers to gain hands-on experience with platforms like GitHub and understand the integration of open source components in software applications, as this knowledge can bridge the gap between developers and policy makers. 2m6s

Legal and Practical Risks for Open Source Developers

• Concerns exist about the potential chilling effects and liability issues of broad age assurance laws, which may lead to over-correction, such as restricting access to software or hesitating to use open source due to unclear legal implications. 4m10s
• Ambiguities in the language of these laws could result in unintended consequences, such as civil actions being brought against developers, depending on the specific state or law. 6m0s
• Concerns are raised about the potential for criminal actions against open source developers due to laws that may not fully understand how open source works, which could have a chilling effect on the community. The financial and knowledge burden of defending against lawsuits is also a significant concern, even if developers might ultimately win. 10s

Policy Evolution and Opportunities for Advocacy

• It is important for individuals to understand the proposals of new laws and how they might evolve over time. Laws passed by states may be amended over several years before coming into force, and overbroad or ambiguous language can be improved. The example of Brazil's digital ECA is mentioned, which includes caveats about being likely accessed by children, suggesting that open source operating systems may not fall under this definition. 1m6s
• Positive developments have been observed in California and Colorado in response to concerns from the open source community. These experiences highlight the importance of engaging with policymakers to educate them about open source development and address broad concerns without directly commenting on specific bill texts. 2m6s
• The Open Source Initiative (OSI) engages in an educational capacity with policymakers to explain how open source development works and to discuss concerns about certain policy approaches. It is crucial to meet policymakers at their level of understanding and recognize the goals they aim to achieve with their policies. 2m6s
• Open source communities benefit from engaging with policymakers by providing insights and understanding the goals of regulations, rather than opposing them outright. This approach helps in making precise changes to policy language to exclude open source from unnecessary regulation and address policymakers' concerns effectively. 10s

Engagement Strategies for Open Source Communities

• Early engagement and education are crucial for open source communities to influence policy development. This involvement helps in educating policymakers about the open source process and the potential for collaboration. 1m6s
• There is a need to increase awareness among young people about the benefits of participating in the open source community. Open source platforms often lack features that promote unhealthy use, such as excessive consumption and targeted advertising, which are common in monetized platforms. 2m6s
• Open source software provides users with more agency and promotes digital literacy, enabling them to navigate the online world more effectively and see themselves as active participants rather than just consumers. 2m6s
• The open source community should focus on understanding the monetization and incentives of platforms to address features that promote harm. Policymakers should consider how to make the broader digital environment more like the open source model. 2m6s

Learning from International Policy Experiences

• The open source community in the US and elsewhere can learn from successful engagements in Europe, such as with the Copyright Directive and the Cyber Resilience Act, to improve their own policy ecosystems. 3m6s
• The European community had to come together to explain and educate the European Commission about how open source works due to regulations such as the Copyright Directive and the Cyber Resilience Act, which ultimately led to a helpful relationship between the European Commission and the open source community 10s.
• The distinction between deployer and developer was a crucial part of the Cyber Resilience Act implementation, ensuring that regulations were applied to deployers who understand the cyber implications, rather than open source developers, to avoid a chilling effect on the open source community 42s.
• In the US, the decentralized system with 50 states and multiple federal agencies makes it more challenging to coordinate efforts, unlike in Europe, where a more coordinated approach has been established, and the open source community can learn from this experience 2m6s.

Challenges in US Policy Coordination and Advocacy

• Policy makers in the US often find it difficult to identify thought leaders or partners in the open source community, unlike in other parts of the tech industry with larger policy and lobbying operations, and a more coordinated approach in the US could be more effective 2m6s.
• The open source community in the US can take a lesson from Europe's experience and work towards building consensus on certain issues to channel their technical expertise to policy makers, which would be welcomed by policy makers who are trying to make sense of many different issues 2m6s.
• The legal environment plays a significant role in the development of the tech sector, as seen in the article "How the Law Created Silicon Valley," which highlights the importance of a permissive liability environment and research funding in allowing the US tech sector to flourish 2m6s.

Future of Tech Regulation and Open Source

• A significant shift is being seen in the US legal environment, with expectations of tech regulation changes possibly coming out of Congress in 2027, and the open source community should be prepared to address these changes 2m6s.
• There is a growing concern about children's access to technology and identity issues, particularly in the context of AI, which is seen as a generationally defining technology. States are taking action independently, leading to a complex landscape of privacy regulations that complicates the establishment of a federal privacy standard, an effort that has been ongoing in Congress since the 1990s. 10s
• Effective tech policy design should begin with a clear scope to determine which platforms are affected. Understanding the technology being regulated is crucial, and knowing the appropriate contacts for consultation can lead to more accurately written laws. 2m6s

Designing Effective Tech Policy

• Policymakers should focus on the employer level and consider the features of technology that may drive addictive behavior or other concerns. This approach can help in crafting more targeted and effective regulations. 2m6s
• There is a discussion on whether to regulate at the operating system level versus the app level, with a focus on the potential impact on open source operating systems. It is suggested to engage with the open source community early in the legislative process to avoid negative effects and ensure clarity in the language of the legislation to prevent confusion and a chilling effect on projects. 10s
• It is recommended to involve organizations like OATH and open source stewardship foundations to provide technical perspectives in policy-making. The US Congress has a tech policy fellowship that could serve as a model for state-level initiatives, and there are resources available at universities and other departments that could assist policymakers. 1m0s

Engagement and Advocacy for Developers

• Developers and maintainers are encouraged to stay informed by following blogs from GitHub's policy team and the Open Source Initiative (OSI). Joining the Open Policy Alliance (OPA), a coalition led by OSI, is recommended for nonprofit open source organizations to engage in policy discussions. OPA offers free membership and holds bi-monthly meetings to provide updates and opportunities for involvement. 2m6s
• Maintainers are encouraged to contribute their expertise to policy discussions, especially if they notice inaccuracies or feasibility issues in proposed legislation. They are urged to see themselves as empowered participants who can make a difference in the policy-making process. 3m0s
• There is a mention of positive examples of engagement in policy discussions, such as a recent hearing in Colorado, highlighting the importance of active participation in shaping legislation. 4m0s
• Developers in Colorado have significantly contributed to improvements in age assurance laws, particularly in operating systems and app stores, through community advocacy efforts. This demonstrates the effectiveness of grassroots involvement in policy changes. 10s
• It is emphasized that contacting representatives is easier than many people think, and developers, as experts in developer policy, should engage in advocacy if they have concerns or wish to be involved. 42s

Global Perspective on Age Assurance and Open Source

• The issue of age assurance is not limited to the United States but is a global concern, as evidenced by the diverse international participation in the discussion. 1m6s
• There is a debate about the risks associated with open source software compared to closed source software, with the argument that open source should not be considered inherently riskier. The focus should be on understanding the specific features of technology that impact children's safety online and targeting legislation accordingly. 1m30s
• The UN Declaration on the Rights of the Child is mentioned in the context of children's digital rights, highlighting the importance of considering human rights aspects, such as freedom of expression, participation, and access to knowledge, in discussions about online safety and age assurance. 2m6s

Balancing Safety and Rights in Digital Spaces

• The internet provides transformative access to information and opportunities, making it crucial to consider the implications of restricting access and engagement. 10s
• Open source licenses do not imply responsibility for downstream users' actions, but certain laws could require developers to revoke licenses if AI detection tools are removed, creating a conflict between state law and open source principles. 2m6s
• Open source licenses are designed to enable free sharing and should not be used to enforce laws or control downstream users. 4m0s

Improving Developer Policy and Coalition Efforts

• Efforts are being made to improve the developer policy environment in the US through a broader open source coalition. 6m0s
• An educational document is available to inform lawmakers about the benefits of open source and the importance of understanding downstream uses without revoking licenses. 7m0s
• Appreciation was expressed for the contributions of individuals named Katie and Margaret, who are involved in work related to an open source operating system. 10s

Conclusion and Appreciation for Open Source Contributions

• The importance of open source work was emphasized, highlighting its significance and the need to support it. 10s