GrapheneOS is resisting age verification surveillance laws, vowing to uphold privacy protections and implementations for all users globally.
Faced with a growing number of age verification laws this time hailing from the United States, and already enforced in Brazil, GrapheneOS has simply said ‘no thank you’.
On Friday 20th March, the privacy-focused Android fork confirmed via tweet that it will not implement the arbitrary age verification data capabilities demanded by these laws.
In response to the news, the project’s twitter handle posted:
GrapheneOS will remain usable by anyone worldwide without requiring personal information, identification, or an account.
This clear cut stance is one that operating system developers have yet to fully emulate and embrace, but it is worth understanding what the stance actually means.
Age verification law debus in Brazil
Brazil’s Digital ECA (Law 15.211), which came into effect on March 17, imposes fines of up to R$50 million (roughly $9.5 million per violation) on OS distribution providers that fail to build age attestation (a prelude to verification) into their device setup.
The move undermines the very premise of Free and Open Source Software (FOSS), which typically do not have the sort of funding to stave off state demands of this nature.
In the US, California’s Digital Age Assurance Act, AB-1043, goes further. Signed by Governor Newsom in October 2025 and set to take effect on January 1, 2027, it requires every OS provider to collect a user’s age or date of birth during account setup. This data must then be sent in real-time to app stores and developers through an application programming interface (API).
Colorado’s SB26-051, passed by the senate on March 3, contains similar requirements.
Tearing up Magna Carta
Together, these laws envision an architecture where users do not truly own their electronic devices.
The legal requirement renders device access and usage conditional, a premise which stretches beyond an age-linked identity layer.
Devices and applications locked behind arbitrary verification systems opens the door to pre-Magna Carta levels of injustice, whereby corporations and government entities are able to seize or revoke property access on a whim.
In other words, age-verification laws lay the groundwork for both targeted and blanket arbitrary denial of device ownership. From a functional perspective, this means the device and property you purchased is not truly yours.
Collectively, these laws envision an architecture where an age-linked identity layer is built into the operating system itself, before any applications are even opened.
GrapheneOS is developed by the GrapheneOS Foundation, a registered Canadian non-profit.
The potential consequences might be greater for GrapheneOS and Motorola following the partnership at MWC on March 2nd to bring the hardened OS to native Motorola hardware.
Currently, GrapheneOS offers exclusive support to Google Pixel devices due to hardware-based security and features, but a Motorola phone is expected in 2027.
GrapheneOS’ position could become a commercial viability issue for Motorola – a global hardware manufacturer.
Age verification is overwhelmingly unpopular
The OS is not alone in its outright refusal to implement proto-age verification capabilities. A Github page listing linux distributions and their status on the whole age verification debacle has been making the rounds too.
MidnightBSD took it a step further by updating its license to block users in Brazil entirely.
These refusals come from projects that build applications for the public for free.
A core principle behind said projects is one shared by just about anyone who uses an electronic device, that is, government-mandated surveillance infrastructure has no business being present on the devices you own and the software you run.
Over 400 computer security researchers have signed an open letter arguing that these laws construct surveillance architecture without protecting children.
The real outcome is a mandatory data pipeline connecting OS providers, app stores, and developers, with real-time ID signals tied to device setup, and no clear understanding of how that infrastructure will be used in the future.
If you found this article useful, consider sharing it.
