GrapheneOS announced it will not comply with emerging laws requiring operating systems to collect user age data at setup. "GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account," the project stated on X. "If GrapheneOS devices can't be sold in a region due to their regulations, so be it." The statement came after Brazil's Digital ECA took effect on March 17, imposing fines of up to R$50 million, roughly $9.5 million per violation, on operating system providers that fail to implement age verification.
California's Digital Age Assurance Act signed by Governor Newsom in October 2025 takes effect on January 1, 2027, and requires every OS provider to collect a user's age or date of birth during account setup and pipe that data to app stores and developers through a real-time API. Colorado's SB26-051 passed the state senate on March 3 with similar requirements. GrapheneOS is developed by the GrapheneOS Foundation, a registered Canadian nonprofit. None of these laws originate in Canada but questions around jurisdiction remain open. US federal prosecutors successfully extradited and convicted the developers of Samourai Wallet, a privacy-focused Bitcoin mixer, in a case where one defendant lived in Portugal. California's AB-1043 carries civil penalties of up to $2,500 per affected child for negligent violations and $7,500 for intentional ones, enforced by the state attorney general.
Motorola and GrapheneOS announced a long-term partnership at MWC on March 2 to bring the hardened OS to future Motorola hardware, ending GrapheneOS's long-standing exclusivity to Google Pixel devices. A GrapheneOS-powered Motorola phone is expected in 2027. If Motorola sells devices with GrapheneOS pre-installed, those devices would need to comply with local regulations in every market where they ship, or Motorola may need to restrict sales geographically. GrapheneOS isn't the first to refuse compliance with age verification laws. The developers of open-source calculator firmware DB48X issued a legal notice stating their software "does not, cannot and will not implement age verification." MidnightBSD updated its license to ban users in Brazil.
California's law doesn't require photo ID or biometric verification. Users simply self-report their age during setup. Over 400 computer scientists signed an open letter arguing the laws create surveillance infrastructure without meaningfully protecting children, since self-declaration is trivially bypassed. Age verification laws for operating systems create permanent databases of who uses what software tied to real identities. The infrastructure built for age checks can be expanded to verify any attribute the government decides to require. Self-reported ages don't protect children. They do create records of which operating systems people install and when.
Ageless Linux is a Debian-based distribution that strips all age verification and data collection from the operating system. The project launched in response to California's Digital Age Assurance Act. Ageless Linux removes telemetry, analytics, and any code paths that could be used to implement age checks. The distribution is designed to be impossible to comply with age verification laws because the capability doesn't exist in the code. If California or Brazil demands age verification, Ageless Linux has nothing to verify with. The developers can't add it without rebuilding the entire OS from scratch.
GrapheneOS and Ageless Linux represent two approaches to refusing compliance. GrapheneOS says it won't implement age verification and accepts that devices may not be sold in certain regions. Ageless Linux removes the technical capability to verify age from the codebase entirely. Both approaches prioritize user privacy over access to regulated markets. Both refuse to build surveillance infrastructure that governments demand for supposed child safety.
Age verification laws target operating systems because operating systems sit between users and everything they do on their devices. Verify age at the OS level and every app, every website, every service inherits that verification. California's law requires OS providers to pipe age data to app stores and developers through a real-time API. This creates a system where every software interaction can be age-gated and monitored. The infrastructure isn't limited to protecting children. Once built, it verifies anything.
GrapheneOS serves users who prioritize privacy and security over convenience and market access. The Motorola partnership expands GrapheneOS beyond Google Pixel devices but complicates compliance. Motorola sells phones globally including in California and Brazil. GrapheneOS refuses to implement age verification. Motorola either restricts where GrapheneOS devices ship or faces penalties in regulated markets. The partnership announcement in March 2026 came before clarity on how this conflict resolves. A GrapheneOS-powered Motorola phone is expected in 2027. By then, multiple US states and countries may have age verification laws in force.
DB48X calculator firmware and MidnightBSD joined GrapheneOS in refusing compliance. DB48X issued a legal notice. MidnightBSD banned Brazilian users entirely. These are small projects with limited commercial exposure. GrapheneOS has a partnership with Motorola, a major manufacturer. The stakes are higher. The refusal matters more. Open-source operating systems that refuse age verification create options for users in regulated markets who don't want their OS collecting personal data.
Over 400 computer scientists argued age verification laws create surveillance infrastructure without protecting children. Self-reported ages can be bypassed by anyone including children. The laws don't require verification beyond user input. They do require infrastructure to collect, store, and transmit age data in real time to third parties. That infrastructure enables tracking of OS installs, app usage, and user behavior tied to declared ages and accounts. The supposed protection is theater. The surveillance is real.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is GrapheneOS?
GrapheneOS is a privacy-focused Android fork developed by the GrapheneOS Foundation, a registered Canadian nonprofit. The OS was previously exclusive to Google Pixel devices but announced a partnership with Motorola in March 2026 to expand to Motorola hardware in 2027.
What age verification laws is GrapheneOS refusing?
Brazil's Digital ECA imposes fines up to $9.5 million per violation for OS providers that fail to implement age verification. California's Digital Age Assurance Act requires OS providers to collect user age during setup and pipe that data to app stores and developers through real-time API starting January 1, 2027.
What is Ageless Linux?
Ageless Linux is a Debian-based distribution that strips all age verification and data collection from the operating system. The project launched in response to California's Digital Age Assurance Act and removes telemetry, analytics, and code paths that could implement age checks.
Do age verification laws require photo ID?
No. California's law doesn't require photo ID or biometric verification. Users simply self-report their age during setup. Over 400 computer scientists argued this creates surveillance infrastructure without protecting children since self-declaration is trivially bypassed.
What other projects are refusing compliance?
DB48X open-source calculator firmware issued a legal notice stating their software "does not, cannot and will not implement age verification." MidnightBSD updated its license to ban users in Brazil entirely rather than comply with age verification requirements.