Practical suggestions for resolving the Brazilian problem

V

vmb

On March 17, 2026 the Brazilian government will be enforcing a new law that requires age verification of the users of a computer operating system. This thread is to discuss how the FreeBSD developers could resolve this problem within the next 11 days. Please add your own ideas and pick apart any/all that have been posted.

Summary in English

1. Geo-block Brazil from image downloads and from pkg repositories.
This is an extreme solution that will alienate the Brazilian user community, but it is the quickest to achieve given the lack of time.

2. Modify pkg so that it can accurately geo-locate by the public IP address.
If a Brazilian IP address is detected, pkg requests the email address of a human installer over the age of 18 that is responsible for the system. Pkg will no longer install or update until a token received by email from pkgtoken@freebsd.org is entered into pkg.

Pkg will also have to state on every execution that the FreeBSD package repo is for 18+ users only and it is the responsibility of the system administrator not to permit use of the system by minors. All existing FreeBSD systems will remain usable in a pre-enforcement date state. However, they will not be able to update until the sysadmin confirms to pkg that the system is for 18+ users only. If the public IP address changes, pkg will have to request a new authorisation token to continue. This is the only way to deal with geo-locating dynamic IP or portable systems that are travelling (visiting laptops).

The authorisation token does not need to be individual to the machine. A simple method of using a token matching the last 8-bits of an IPv4 or IPv6 address is good enough. Every quarter, regenerate those 256 tokens and save them on a private system area of the package repo. An already authorised pkg will automatically rollover to the new token without human intervention. Yes, someone could map the bit to token assignments every quarter and publish them, but the new pkg program must save the email address and display it every time pkg is run. Whoever runs package will see the email address that was used to obtain the token.

If a fake email address is used with published tokens, then the Brazilian authorities have the problem of identifying the sysadmin and the token publisher. The sysadmin becomes the criminal.

Pkg gets updated every quarter to recognise the new set of 256 tokens used by the FreeBSD repo. If pkg is used in Brazil without a valid token it fails safe (legally, not functionally) by not updating and not installing software until a sysadmin has submitted an email address to receive an unlock token.

If pkg is used against a private repo, such as a Poudriere built repo, then no email address or token checking is required. Whoever operates the Poudriere repo is the software distributor.
 
Yes, a VPN to another country does hide your location if you are physically in Brazil. Using one could be considered by the Brazilian authorities as criminal intent of the user not of the developers and distributors of FreeBSD. I am only really interested in protecting the FreeBSD foundation from prosecution to ensure the longevity of the availability of FreeBSD in my lifetime.

I live in Airstrip One, where this stupid type of legislation originated. I have wasted hundreds of hours of my life dealing with this type of nonsense. I have lost online communities that I had to shutdown because I couldn't afford compliance. My opinion now is that computers, the internet, mobile phones, social media should all be 18+ with no age or identity verification requirements. I got to the age of 18 without enjoying any of these things and many of my generation (X) will likely agree that life was better without them. I am sick of having to adjust my life because modern parents cannot be responsible for their kids and require the state to do that job for them effecting the lives of everyone else.
 
It's coming. I quit throwing away old computers. The old hardwired stuff like AT and 8-bit machines are even more special now.
In Europe it's too silent around this. Quite sure they are all in to protect US big tech, what this is about. Most governments are in the MS cloud. Windows use at home is a large majority. Profit is massive. These are the biggest companies of all time.
 
The Digital ECA will apply to all information technology products and services aimed at or likely to be
accessed by children and adolescents, regardless of location, development, manufacture, supply,
marketing, and operation.
Click to expand...
FreeBSD isn't aimed at, or likely to be accessed by, children.
 
  • Like
Reactions: mer
SirDice said:
FreeBSD isn't aimed at, or likely to be accessed by, children.
Click to expand...
So would you agree that slapping an 18+ rating on the entire package repo is a low friction solution as it doesn't affect the target audience? Or do you think that preventing under 18's from installing FreeBSD as students, makers, software developers, hobbyists is a problem that those just in Brazil, California, Colorado and probably Texas have to get used to as they are not the primary market?

From my experience of making changes to achieve compliance with the UK Online Safety Act 2023, the law makers and prosecutors will take the view similar to that of medicines designed for prescription to adults. These must be supplied in child proof containers. You can argue as much as you want that your target market is adults only but if the law says that protection is required in case it is used by minors, you can choose to take a risk and defy the law or comply with it.
 
vmb said:
So would you agree that slapping an 18+ rating on the entire package repo is a low friction solution as it doesn't affect the target audience?
Click to expand...
Nope.

vmb said:
From my experience of making changes to achieve compliance with the UK Online Safety Act 2023, the law makers and prosecutors will take the view similar to that of medicines designed for prescription to adults. These must be supplied in child proof containers.
Click to expand...
Yes, because children can get their hands on it, unsupervised, and could potentially die taking those meds. No such risk exist if a child could get their grubby little hands on FreeBSD or the package repository. What's the worst that could happen?
 
shkhln said:
What problem? Brazil is entirely unimportant and there is no penalty for ignoring their laws.
Click to expand...
Really? Translate that to Portuguese and post it on the FreeBSD Brazil mailing list.

Brazil has decided to copy UK OFCOM and add extraterritorial fines. This is a serious problem, as it enables government's to seize assets from foreign investments. Does your pension fund have assets in Brazil? I think the entire situation is nuts and all of the legislators responsible should be held accountable for the damage they are causing globally.

SirDice said:
No such risk exist if a child could get their grubby little hands on FreeBSD or the package repository.
Click to expand...
That would require a judge that shared the same opinion as you and conclude sensibly. However, If the law says that child protections must be in place, and age ratings for the suitability of each of your products must be done by a certain date, then the judge has no wiggle room for interpretation and will follow the law.

All computer operating system distributors supplying to Brazil urgently need qualified legal advice. This thread is aimed at trying to come up with easily achievable practical solutions to minimise or eliminate the FreeBSD Foundation's exposure to legal action in Brazil and from other crazy governments that choose to copy them. It's not about trying to convince yourself that FreeBSD is not at risk, it's about taking steps within the next 11 days to guarantee that FreeBSD is not at risk. The clock is ticking!
 
There is an ISO standard ISO/IEC 27566 that covers age assurance.
It is now free of charge.
www.biometricupdate.com

International age assurance standard to be open, free of charge | Biometric Update

The EC, ITU and the AVPA have successfully petitioned the ISO and IEC to make ISO/IEC 27566-1:2025 Age Assurance Systems – Part 1: Framework, freely available.
www.biometricupdate.com www.biometricupdate.com

I have just downloaded a copy to read. It's probably worthwhile finding out what has been planned for us, and prudent for any techniques devised to follow the international standard.
 
I got a lawyer to consult about this matter, but until I get a full report, I want to share some clarifications.

The purpose of the law is not to monitor users, but block companies from track, collect, profile and sell personal data from children, also block advertising targeted to children, block dark patterns and other tricks used in e-commerce and games platforms and other stuff that can be considered harmful to children. It is not government surveillance.

The target of the law is not people but companies, specially companies like Meta, ByteDance, Google, Microsoft, and others that collect, use and sell personal data.

The law require age verification because not because the government wants to know who is using the software, but because the only way for these companies to disable their surveillance apparatus for children is to know if the user is or is not a children.

About the age verification process at the OS level, this one was pushed by tech companies, not the government. So if we need to blame someone for this, we need to blame Big Tech.

How does this apply to FreeBSD and other open source projects?

The 15.211 law requires all operating system suppliers to abide to the law. But the Brazilian law also defines a supplier as someone that practices a commercial activity. So, at least theoretically, if someone tries to apply the law to an open source project, the project could be exempt because it is not legally a supplier.

There is the case of open source projects developed by non-profit foundations. In this case, someone could try to label the foundation as a supplier, but his is a bit of legal grey area. In the case of a foundation been categorized as a supplier, the government could not apply the law since the foundation as no legal representation in Brazil. In a extreme case the government could label the operation system as unsafe for children and block the download on Brazil.

To avoid such situation, there are some organizations working with the government to specific define the supplier as a business entity, excluding non-profit foundations.

What does FreeBSD and other open source projects need to do right now?

My advice is to do nothing.

The law takes effect in March 17, but the deadline for the age verification process was not defined yet, it will be defined in another law, not yet published. Until there, doing something is a waste of time because right now the law does not apply to open source projects done by volunteers and it is unclear if it will be applied to open source projects done by non-profit organizations.
 
SirDice said:
Yes, because children can get their hands on it, unsupervised, and could potentially die taking those meds. No such risk exist if a child could get their grubby little hands on FreeBSD or the package repository. What's the worst that could happen?
Click to expand...
They may learn to think for themselves, learn good coding practices and systemd is evil.
 
akangusu said:
The law require age verification because not because the government wants to know who is using the software, but because the only way for these companies to disable their surveillance apparatus for children is to know if the user is or is not a children.
Click to expand...
This is very interesting. So if the user is an adult (defined as over 18) the company is allowed to use surveillance methods, but if the user is under 18 the company must disable it?

Why not simply say "no company shall use electronic surveillance methods against their user regardless of age"?
 
I think the idea behind it is good. But as always lawyers/politicians want to make it difficult for everyone. They should focus on the problem. And target solution which fixes specific problem. But then most layers now nothing about informatics or software in general. They tend do write large documents. And that is their business.
 
vmb said:
From my experience of making changes to achieve compliance with the UK Online Safety Act 2023
Click to expand...
Wasn't there some kind of "obscene pr0n" ban which was shelved after people started to flock to the police stations with suitcases and kept asking the constables if this exhibit A was illegal or legal to own after that deadline? DDOS by porn?

Best thing is to follow such laws, badly. Like telling the lawmakers that netflix will be njetflix from now on because their back end is FreeBSD and that will be pulled. They will understand that.

I just heard about one of the actors behind this who wants to sell age verification as a service, by scanning your face. One of the guys behind this is a certain Peter T, which we all have heard so much about.
 
You must log in or register to reply here.
Back
Top