A layman interpretation of Brazilian age verification law

This cartoon never gets old. A 2005 cartoon by John Jonik showing internet speech control was already a topic back then. Hmm, I was thinking, the corporate media guy looks like Mark Fuckerberg…

I know, bad timing to return with this site. After 5 years of the last post, I am back here discussing the heated topic of the moment, and it is not only in technology circles.

Internet age verification and similar laws are popping all over the world. In no specific order, Australia started with banning people under 16 from social media[1, 2] (we can discuss if this is good or not, I have my opinions but maybe for another time), then UK had the dystopian Online Safety Act [3, 4] (“““Safety”””, many quotes), the EU is discussing a bloc wide similar thing[5], some US states passed some similars laws, like California and Colorado[6], and the ~~shithole~~ ~~banana’s republic~~ Brazilian republic decided to introduce its own version.

I would argue these are not coincidences, and I even argue these are not just politicians imitating each others like monkey see monkey do. Well, I may not need to argue when recently some internet anonymous[7] (almost always them, because the Big News not only don’t give a fuck for these kind of things, they support) (update while reviewing this text: the Tbote Project from the anonymous above released some investigation on the Brazilian laws, I will take a look later) using public records was able to point to finger to Meta (and others) as main proponent of internet age verification laws. I need to delve more (“delve”, do I look like a LLM?) on these findings, specially regarding the law in Brazil, but for now the shit is done and we need to live with it.

All these age verification laws are similar but not equal. Californa law[8], for exemple, request age indication at operating system level, when setting up a device, i.e., you can input any number you want. While I disagree with the concept of even giving my fake birthday date to Big Tech in overall (I disagree with the very own principle, not the method), at least it is a reasonable expectation. Adults are the one to buy and set up the devices, so I think it is fair to be on them to apropriately set the device and give to their children. New York’s bill[10], on the opposite, requires age verification, and although wasn’t approved yet, there is a risk of this fuckery to pass. Well, the same New York wants to force 3D printers to spy on you and block weapons parts printing[11, § 837-AA] snucking in a budget bill, so you can see the clear tendency of politicians to jump on to dumb ideas.

Back to Brazil. The law approved just last year, in September, requires age verification at operating system level on top of require age verification on websites. Don’t ask me why this double requirement, but you know, the average Brazilian politician IQ is lower than a rat (sorry, rats, you don’t deserve this comparision), so don’t try to make too much sense.

If you don’t care about the background of this law skip to the (il)legal analysis section. But I think you may be interested that, banana’s republic being banana’s republic, the trigger for this bill to pass was a well-intentioned youtuber getting the wrong kind of attention. Yes, a youtuber. Jesus!

To catch a predator

Once upon time there was a youtuber named Felca. Who? Me too, I never heard him before. Let’s assume he exists somehow. In August of 2025 he posted a video titled “adultização”[29] (adultization) calling attention to a serious problem (no irony here, it was degusting problem): some influencers were using underage girls to publish videos in erotic contexts, like a softcore pornography. The video starts with some lighthearted jokes about teenagers cosplaying as businessman but around the ten minutes mark it takes a dark turn and start exposing some people, incluiding parents, exposing their kids on internet, not only in sexual contexts. Then, it focus in a specific guy that uses a underage girl exposing herself to the camera, even doing live concerts around Brazil. The video culminates with a quick test on how Instagram’s algorithm quickly learns when any user starts interacting with this kind of content, recommending more and more. Worse, pedos interacting with these content communicating between themselves in open light to exchange illegal material.

It is an overwhelming disturbing video. It is an exposé of adults manipulating minors for profits and for sexual gratificaton. The video naturally generated indignation and attention from social media users, other influencers also picked up and even end up in the big television networks. Not only that, real civil and criminal investigations because, unlike a lot of people on internet doing these kinds of content, he did go to the police.

However, if you are not familiar with Brazilian politics, when something gathers a lot of attention nine out of ten times a politician will make a law about it, it doesn’t matter if needed, effective or not, “someone must do something”, they think. In this case, the collective mindset was to do something about “adultization” (a word that I never heard before). The idea was to somehow make the law cover the case when people explore underage people in sexual contexts, and it is totally a reasonable course of action.

But then, politicians, citizens and Big Media alike all forgot these laws are already in the books. In Brazil there is a huge collective of laws called Child and Teenagers Statute (ECA, in Portuguese abreviation), that’s about protecting minors from harms and, more controversially, protecting them when they do harm (don’t ask in a family dinner if they agree on lowering the penal majority age unless you want heated discussions). And if you are not used about the how judiciary works there, the heavy hand of the state is much heavier than in other countries like US regarding how people should treat minors. Regardless, one year before presidential and national legislative election, it is natural to conclude that they, politicians, wanted some excuse to show some work. After all nobody gets reelected doing nothing, RIGHT?

(We have many examples to choose from…)

Eventually one of guys targeted by Felca got charged and convicted for some crimes[12], including producing pornography involving child or adolescent, besides fines (a slight detour: while the guy got what he deserved, if the news is correct the court took a very liberal approach on “underage pornography” that would make, as consequence, the very own Felca’s video illegal too! But I am too lazy to go any further). Remember, Brazil already have laws to punish the guy for exploring minors in erotic content and he was sentenced. I repeat, the criminal was convicted, so it was not a fucking law problem, but this was not enough. It is never enough! They need laws to cover what current laws already cover, so they can show some work to the population when the elections are approaching. A true and tested strategy and, I hate to say this, it works.

So they found some bills in the drawer that didn’t get enough traction[13] and was never related to that “adultization”, amalgamated them in a few weeks or so and rushed through Congress and Senate for a quick approval. As bonus (or onus) for Felca, the law was informally named “Felca’s Law”, but the more official name is Digital Statute for Children and Adolescents (Digital ECA, in Portuguese). What are the main content of those bills?

Not explorating minors. Not posting content with underages in erotic contexts. Not punishing the predators poaching those teenagers and children. Ah, no, it was about something much more important, urgent, and, oh God, how do the population survived until then?

Age verification on internet.

And on your operating system too.

A well intentioned video denouncing child abuse was used as trojan’s horse for ID verification on internet.

Welcome to the brave new world.

(Il)legal analysis

First, a legal analysis only a lawyer you trust can provide, and because I am not your lawyer, I cannot give you legal advices, therefore, this analysis is illegal, got it?

Second, I like to make silly jokes.

Third. I have read the law. It is worse than I expected and I do believe, not only in intention, but the language is so confused. For the nerds all there, it can effectively make open source software illegal (or non-compliant) in Brazil. Well, many things in Brazil are illegal but people do anyway, but as anybody knows how a corrupt country works, as long you don’t poke the wrong bear, you should be fine. Usually.

I am not a news website so I will never talk about law without giving you a link[9] for the real thing (I have a long rant about that). If the link is in Portuguese, well, that’s Brazil’s official language, but feed the text in any translator and will do it. The difficult part here will be translating the text to English for this post and I am not ashamed to say I used machine translation to hasten my work because I am lazy. But I promise you I had reviewed all translations I am posting here, comparing them side by side. Also, I will strongly focus on how it will impact open source, non-commercial software and websites in general, you know, the small guys that are robbed by Big Techs taking their work and not contributing back, or being squeezed by arrogant users complaining to developers they are not updating their software quickly enough while earning zero dollars in salary, or getting crushing by Big Gov passing laws supposedly aimed at Big Tech but that are nothing more than just regulatory capture.

If quacks like a duck…

Let’s take a look on the Article 1 heading of Law 15,211/2025:

Article 1. This Law provides for the protection of children and adolescents in digital environments and applies to any information technology product or service intended for children and adolescents in Brazil or likely to be accessed by them, regardless of its location, development, manufacturing, offering, comercialization, and operation.

The bold part is mine. This is an important definition to be used during the law text, specially the phrase “likely to be accessed by them”. In article’s sole paragraph we have the definition for the phrase:

Sole Paragraph. For the purposes of this Law, the following situations are considered likely access by children and adolescents:

I – sufficient likelihood of use and attractiveness of the information technology product or service by children and adolescents;

II – considerable ease of access to and use of the information technology product or service by children and adolescents; and

III – a significant degree of risk to the privacy, safety, or biopsychosocial development of children and adolescents, especially in the case of products or services intended to enable social interaction and large-scale information sharing among users in a digital environment.

Do you see that “and” in item II? So the law applies to an “information technology product or service” that meets all three criteria. But realize that anything could fit all three definitions, that’s so open to interpretation that will be used to squash anything they (the government) don’t like.

There is also a definition for “information technology product or service” in article 2, item I:

I – information technology product or service: a product or service provided remotely, by electronic means, and delivered in response to an individual request, such as internet applications, computer programs, software, terminal operating systems, internet app stores, and electronic games or similar products connected to the internet or another communications network;

There are some interesting language here. I don’t know the difference between “operating systems” and “terminal operating systems” (Diolinux, a Brazilian youtuber focus on open source, thinks[26] it is related by the definition of “terminal” meaning “a computer or any device that access the internet” in Marco Civil da Internet[27], a law from 2014 regulating some online things) and “another communications network” could be your intranet, your LAN, two computers connected together by a 2 dollars ethernet cable. The language here was done by someone that don’t understand how computers work or understand and they mean it to leave no exceptions. That means Android, iOS, MacOS, Windows, Linux, this website, your blog, your services running in a Tailscale mesh network are covered by this definition. Sure, we can discuss if community project are a product or service (implying a commercial relationship, that in free or open source case I rarely agree), or if it falls in all situation from the article 1, but knowing that even Brazilian High Court disregards the literal written meaning of the Constituition, I wouldn’t be surprised if that includes non-commercial, community projects and amateurish websites, including this one. And even if you argument the law won’t be applied due mere lack of resources from the government, you just forgot about poking the wrong bear because a law existing and eventually being not enforced is not a good thing, it is a liability to bite in your ass when you are disliked enough.

The badly (or intentionally badly) law written also defines an operating system in article 2, item VII:

VII – operating system: system software that controls the basic functions of hardware or software and enables internet applications, computer programs, apps, or other software to run on it;

Reasonable definition. A coffee machine has it, the TV you have at home probably is smart and it has it, even that smart RGB lamp you bought in some Chinese marketplace for 2 dollars has a stripped down operating system, and if you are brave enough, you can even make it to run Doom, somehow. Is your Arch Linux Distro 32-bit covered? If the OS meet the subjective Article 1 definitions yes, if not, isn’t, however, I may agree that a 32-bit distribution in 2026 may be harmful to children and they were right in blocking downloads from Brazil… Jokes aside, just the chilling effect of may be subjected to this law was enough for

My take away for this section is that almost everything you use today and it is electronic can be covered by age verification. So keep you passport ready next time you make an espresso.

“Your” computer? “Our” computer

One of the core ideas of ownership is that, you buy a device, you own it and you should do anything you want with it (as long you don’t hurt other people). If I buy a pen, I should be able to write anything with the pen, and I say anything, even things you think are immoral, antissocial and even illegal (except in US where you can write the most outreageous things, most of the world has a dim view of freedom of speech). Imagine if your pen blocks you from writing bad words like fuck, slut, asshole unless you scan your face or identity document to prove you are over 18 or whatever. It would be ridiculous, something out of a crazy fictional book. But somehow, we, as society, are normalizing things like this when it is about computing devices. Not only normalizing, we are claiming for it.

Article 12 is the most contentious one. It is antagonic on how computers should work, and they should work by serving their rightful owners not third party interests.

Art. 12. Providers of internet app stores and terminal operating systems shall:

I – take proportionate, auditable, and technically secure measures to verify the age or age group of users, in accordance with the principles set forth in Article 6 of Law No. 13,709, of August 14, 2018 (General Personal Data Protection Law);

[…]

III – enable, through a secure Application Programming Interface (API) designed with privacy protection as a standard, the provision of age signals to internet application providers, exclusively for the purposes of this Law and with adequate technical safeguards.

So yes, here we are, in bold letters.

I can make two types of arguments here. If we assume the definition of “likely access by children and adolescents” applies here, I can easily make a devilsh argument saying that, first, a Linux OS can be attractive to minors, like gaming focused distributions (SteamOS, Bazzite, CachyOS), second, it is easily acessible by them (a few clicks on their website) and, third, can carry a risk on them because it allows them to… access the internet and access non-Christian websites! Worse, by the free and open software nature, a knowledgable child or teenager can even modify their OS to bypass parental controls. Really, I can see this argument being made by politicians and judges alike.

The second type of argument is more direct, because the article doesn’t care about the article 1 definition, it is putting all operating systems in the same basket, big or small, commercial or community supported, and fuck them. A more evilsh reading is that they are intentionally try to kill open source operating systems, but I think the Brazilian politicians have that level of intelligence to think about this (keeping my tinfol hat nearby just in case).

That’s why I think any operating system can be covered, being the ATM of your bank, the virtual machine deployed in AWS, that server your business run in the backend, the coffee machine, the elevator of your building, your car, the system running in an Airbus A330. And they need to offer a way for application to access your age information. What is even a “proportionate, auditable, and technically secure measures” anyway? I know you are thinking nobody is going to enforce a law in the situations above, and I agree with you. Probably is not going to be enforced. But the mere fact it is written this way in the fucking law that means the fucking politicians have less neurons than a piece of shit (at least shit has some value, as fertilizer).

Let’s assume for a moment this law is absolute and non-compliance gives you a death penalty by hanging on an electric chair. How can you verify the age of the coffee machine user? Why would you that, what kind of things you are going to protect children against? Stomach ulcers? It is an absurd interpretation of the law, I know, but it is an interpretation. If I can do that, an asshole prosecutor can make this argument and an equally stupid judge can accept it if their enemy is disliked enough.

But ok, you think, you are exaggerating, there is no way to implement this in an efficient way and require ID just to turn on your computer, it is so stup…

Here we are, here we are.

Apple is doing that, right now, in Brazil, UK and other similar shithole countries. And you know it is funny? Refusing to do that even blocks the browser in iOS to access certain websites. The browser! And you can’t even bypass by installing another browser because Apple only allow using their engine, so all are crippled the same. A computer refusing to do what is ordered by its user.

“I don’t use iPhone, I use Android so I can install whatever I want”

HAHAHAHAHAHAHAHAHA. My excuses, it was involuntary. Google announced last year[15] you will need to show your ID if you want to release apps for Android, even if outside Play Store, other store or even by APK installation. And if you argument is that they rolled back[16] and now they have an advanced power user installation flow, I don’t want give you bad news but you are one update away from having this privilege (yes, the privilege of doing anything with a device you spent money on) taken away. Worse, one law away. It is being clear this movement was pressured by some governments[15] and aligns perfectly with the walled garden business model. Two birds, one stone. Even trying to plead to your EU antitrust bureoucratic regulation won’t save you when your politicians want to take your freedom of compute away.

“I will just install Linux so fuck them all”

Keeps laughing. Yes, fuck them all, and I even agree with you that the people who really want to evade all this age verification bullshit will have many holes to escape. For now. I am not waving the “freedom of computing” sentence for free, I am doing because I do agree with the argument we are living the war on general computing coming from both big tech and governments[17]. Just think for a milissecond, can you run Riot’s Valorant in Linux? No, because it requires Secure Boot[20] and TPM[19] together[18] (if you don’t know what they are, check their Wikipedia pages). Together, these are mechanisms to cryptographically verify the operating system was not modified by the user (or viruses) because they can’t trust the user to not install cheats. A mechanism that can be used to verify your operating system is ~~being a well behaved state agent~~ legit for your own safety of course. It is not impossible for (some) Linux distributions to fulfill these requirements. However, it is just incompatible on how Linux and open source software should run: the user is the king. The problem is the law can state otherwise. A government can legally lock down your device.

So, you are very smart and used a LLM to find a way to feed the age API in Linux with whatever age you wanted, after all, you are not going to submit to this piece of shit of legislation. Fine, I would do the same, but then in paragraph 3 of article 12 we have this:

§ 3 An Executive Branch regulation shall establish the minimum requirements for transparency, security, and interoperability for the age verification and parental supervision mechanisms adopted by operating systems and app stores.

Hmm, so the law takes its hands off the responsability to establish how this age verification will be done and delegate to the Executive. What if whatever regulation the Executive does, does say that all operating systems need to have a unforgeable way to verify and store user age information? What if when another president tomorrow that is not aligned with your ideals takes power and declares all open sources distributions are incompatible with the law and, therefore, banned? If the regulation says this information must be unforgeable, Linux is dead in Brazil, at least legally. An operating system you can’t change how it works is not open source.

We can go deeper, a future law could say “no device shall be able to install non-government approved operating systems”, and then one of the requisites to have an OS approved is “it cannot allow the user to change how the age API works” or something like that. The TPM plus secure boot plus hardware attestation (the latter is already used by both iOS and Android) can be used to make your device to comply, forcefully. There is only a few phone brands that allows you to install another Android operating system, for example, and when you do, you are not blessed enough by an American Big Tech so many important apps like from banks or government refuse to run in such devices. This is also not a hypothesis, this happens right now with CalyxOS, PostmarketOS, GrapheneOS[21], and other Android versions that didn’t receive the stamp from Google. For your safety, citizen.

The argument I am trying to make here is: it is fine if you have the skills to circumvent the law and I support civil desobedience in these cases. But these are technological countermeasures, not political ones. They will throw the book on you if you poke the wrong people the wrong way. They will make your life difficult. And all efforts to make, for example, Linux more accessible that was happening in the last years, including being able to run well the most modern games, will go down the drain.

The regulation puzzle

The paragraph 3 of article 12 is not just a small thing. Days after the law went into force, the Executive did publish the regulation the paragraph refers too and it doesn’t make things better.

The Decree 12,880/2026[22] is a mixture of re-affirmations of the law and new rules. Yes, because one law is not enough, we need to have a decree on top of the law to complicate things (I didn’t even tell you a another regulation is coming, regarding how the age verification can be done concretely).

Let’s do more analysis.

Article 2, items I, II and III defines three types of content that are very important to understand the legal text:

Article 2. For the purposes of this Decree, the following definitions apply:

I - inappropriate or unsuitable content, product, or service: any content, product, or service that may pose a risk to the privacy, safety, psychosocial development, mental and physical health, and well-being of children and adolescents, in accordance with the age rating system, where applicable;

II - content, product, or service prohibited for children and adolescents - any content, product, or service to which access, availability, acquisition, or consumption is expressly prohibited for children and adolescents by specific legal provision;

III - pornographic content - content whose predominant purpose is the depiction of sexually explicit acts or the display of nudity with sexual connotations or intent, subject to the specifications and exceptions provided for in Article 16;

Keep them in mind.

Article 15 explicitly requires providers of prohibit content to under 18s to implement age verification:

Art. 15. Any provider of information technology products or services that makes available content, products, or services prohibited for children and adolescents, pursuant to the provisions of Articles 9 through 15 of Law No. 15,211, dated September 17, 2025, shall:

I - implement effective age verification mechanisms; and

II - effectively prevent access to, use of, or consumption by children and adolescents.

Item I is interesting because article 26 (see later) kind of contradicts it. The latter says a service it is allowed to receive the age signal from the OS or app store while the former requires those services to implement age verification. The same happens for article 16 paragraph 1:

§ 1 Providers of information technology products or services that make available their own or third-party pornographic content must implement their own age verification mechanisms to ensure that children and adolescents cannot access such content, even in the form of previews, images, titles, or captions.

So… do they need to also verify age or do they can use the signal from OS/app stores? Well, no news for how badly this regulation was written.

The article text provides a long list of reasonable things you don’t a children or adolescent to have access, like firearms, alcohol, cigarretes, online casinos, loot boxes, sexual services (in Brazil prostituition is legal), etc. Articles 17 and 18 allows for partial blocking, that means, you are allowed to not exhibit the prohibit content if you can’t verify the user age, but it doesn’t force a general blockade. Article 17 is focused on pornographic content and article 18 is focused on restricted product or services.

Even social media can just block the prohibited content instead of age verify everyone:

Art. 19. If a social media service makes available content, products, or services prohibited for children and adolescents, it must:

I - create versions without such content, products, or services, or advertising related to such content, products, or services, in which case age verification is not required; or

II - adopt effective age verification mechanisms, under the terms established by the ANPD, with self-declaration prohibited.

§ 1 The provisions of item I of the main article apply to unregistered or unauthenticated users.

[…]

The problem with this approach is… it is just easier and juicier to gulp down your user personal information for ~~target advertisment~~ ~~mass surveillance~~ ~~dopamine maximization~~ protect children and adolescents than have an effective way to filter out things it must not show to minors. I know that any system you implement to try to filter things will, always, rely on automated systems with huge amount of false positives and false negatives. And if you rely in organic systems in some poor country to do that for you, they may be traumatized by the things they need to censor the entire day[28]. In the end, the result is always more censorship.

(I am using “censorship” here in lato senso, that means an act to supress information whatever the reason and carries a different moral weight than state censorship).

So, if TikTok really wants they can skip age verification as long they keep their content in check. But they won’t let pass this chance to boost their addiction algorithm, will they?

Article 23 is about loot boxes in games:

Art. 23. Providers of video games containing loot boxes must verify the age of users, in accordance with the provisions of Art. 20 of Law No. 15,211, dated September 17, 2025, in order to prevent children and adolescents from accessing this feature.

§ 1 The electronic games referred to in the preceding paragraph may offer versions without loot boxes or completely restrict access to the loot box feature by default, in which case age verification is not required.

My opinion? Totally reasonable, fuck loot boxes. But still, I am against age verification by itself because there is practical and private way to do it.

To make things funnier, Article 21 requires operating systems to block access to unregulated lotteries, and lotteries without age verification. Operating systems!

Art. 21. Internet app stores and operating systems must prevent the availability of products or services that promote, offer, or facilitate access to lotteries of any kind, including fixed-odds betting, that are not authorized by the competent authorities, and those that do not provide age verification solutions, pursuant to the provisions of […bunch of articles…].

You see how stupid is this? Requires operating systems to block these kind of lotteries (and only lotteries, not other kind of content or service!) is at the same time too specific and too horrific. It opens the door to government to naturally regulate any other kind of application it should run in our own devices.

Well, here it goes more of this bullshit. Article 25 of the decree also adds the following obligation to operating system and app stores:

Art. 25. Internet app stores and operating systems shall provide user age verification data to suppliers of information technology products or services, free of charge, pursuant to the provisions of Article 12, main clause, item III, of Law No. 15,211, of September 17, 2025, without prejudice to any mechanisms that the latter may adopt.

§ 1 The age indicators referred to in the main clause shall be limited to the data strictly necessary to confirm the minimum age required for access to the information technology product or service; the transmission of the exact date of birth, civil identity, or user profiling data is prohibited.

So OSs and app stores must somehow transmit to applications only your age and pinky promise not to use your data for anything else, right? Ok, let’s pretend we believe and continue the article:

§ 2 To comply with the provisions of the main clase, internet app stores and terminal operating systems shall:

I - request that users declare their age or age group when creating an account;

II - verify age using a reliable method, in accordance with the terms established by the ANPD, preferably by adopting verifiable credentials, pursuant to the provisions of Article 11 of Law No. 15,211, of September 17, 2025;

Remember, an interpretation of this regulation is there are no exceptions! Everytime you run a adduser in a Kubernetes cluster holding the production system of a huge bank you must declare your age and use a “reliable” method that is not even defined what it is. And if your system is offline, as in a lot of embedded devices or in restricted network spaces? The “terminal operating systems” expression disappeared in the decree. There is no way to verify age using a reliable method, so the operating system is not complying with the law and the manufacturer is subject to fines. My crazy dream is for OS providers to push an update and brick all server devices running the country printing big red letters in the screen telling the user THE LAW FORCED US TO DO SO and refusing to run unless they see some ID. How cool would be that?

Finally, that cherry on top of the pissed cake:

IV - adopt measures to prevent the creation of multiple accounts or other schemes intended to circumvent age verification mechanisms.

Well, at the same time, article 24 paragraph 3 says:

§ 3 The processing of data resulting from the collection of documents shall be limited to data regarding age or confirmation of age group; the storage, retention, or any form of preservation of the image, copy of the document, or information is prohibited, and such data must be deleted immediately and irreversibly after the necessary information has been captured, pursuant to the provisions of Law No. 13,709, of August 14, 2018.

Oh my fucking hell! The law makes impossible demands. If you can’t store any user information how can you stop someone creating multiple accounts? Really, how can you do one without the another? Did they write this regulation with fucking AI? You cannot have both ways. In other words, using adduser twice may be forbidden soon, but more realistically, if you asking for age without storing any other information about the user item IV is impossible to comply. Well, we just need pretend to believe they will not be storing any information beside age bracket. And again, this age verification item makes any user serviceable operating system non-compliant.

Article 26 brings a contradiction with article 15 and 16 above because it says it is fine to use the age signal from the OS or app store, while the latter says they must implement themselves the age verification. Which one is correct?

Art. 26. Providers of information technology products or services intended for children and adolescents, or likely to be accessed by them, who make available content, products, or services whose provision or access is inappropriate, unsuitable, or prohibited for children and adolescents, pursuant to the provisions of Chapter VI of this Decree, shall receive the age indicators referred to in Art. 12, caput, item III, of Law No. 15,211, of September 17, 2025, and in Art. 25 of this Decree.

[…]

§ 2 Providers of information technology products or services accessible through internet browsing systems must verify the user’s age and may use age verification signals provided by the operating system, the app store, or another digital service provider to comply with the obligation set forth in the caput.

Question for lawyers, not me. I would say maybe prohibited and pornographic content providers (but not improper or unsuitable, see definition at the start of this section) need to have a different method to check the age?

Closing this section, if they really want to legally kill Linux and other open source systems in Brazil, the article 29 is the final nail:

Art. 29. The ANPD [Data Protection Regulatory Agency] may require suppliers of information technology products or services to adopt additional technical measures to prevent or hinder technological mechanisms designed to circumvent or evade the provisions of this Chapter and Chapter VI.

Not only means forcefully changing how software works, it is a hint that VPNs and proxies are next target, because, let’s be frank, it is a way to circumvent these kinds of age verification regulations. In other words, in the next weeks we are gonna see know how deep in Brazilian’s asses they are going to insert this huge age verification carrot. The regulatory agency can bring any arguments they want and swipe in Brazilians’ faces an index of what operating systems they are allowed to use and access in from now.

Let the games begin

Being truthful, the regulation is correct in many other points, like banning loot boxes for under 18 (art. 20 of the law); banning them from buying things that are already banned to buy (drinks, cigars) (art. 6); unlike Australia, social media was not banned for minors, but everyone under 16 must have a “guardian” account from their parents that can set parental controls (art. 24); parental control tools must be accessible (chapter V). My main point on age verification debate is that is not possible to verify age without implementing a surveillance infrastructure, doesn’t matter what you write in the law. Today the service provider/app store/operating system is forbidden (pinky promise) to collect any other data besides age, tomorrow population and politicians will think “there is still too much abuse, collect all data”, next day “there is still too much abuse, you can only use you phone with the camera and microphone turned on”, next day “they are checking your ID anyway, why don’t you link social media usage with our government databases?”. I know I may be overusing the slippery slope fallacy, but we know how it works and all we know what happens in China. Even if you don’t want to comply, as long everyone around you complies because convenience (convenience always wins), you will be dragged into this mess. The Big Tech created a huge, gigantic surveillance system to serve us better… ads and governments realized this is a gold mine for population surveillance and societal manipulation, so they can keep in check ~~critics~~ criminals[23, 24] that threatens our society.

Did you fucking read what I wrote? The infrastructure is being built. And by the way, for the average user, not you because I know you are very smart, but for the average user, he doesn’t care about all this. At the end of the day they are going to send their identities to shady corporations in exchange for dopamine while doom scrolling an infinite wall of brain rot in their favorite app. Brazil is not EU, is not US. People there don’t fucking care about privacy, they are tired being target for street criminals, living in violent country with 19 homicides per 100 thousand people[24, 2023], that they will grab at anything promising more safety. And people who cares about privacy always gets the same rethoric “do you have something to hide?” and are treated like criminals. There is no pressure, not from Big Tech (because they want more data about you), not from government side (they want track you across your life), even less from the population (that don’t understand shit about it) to implement cryptographically complicated mechanisms of age verification. More information they have and less information we have, better for them.

So you think children should be able to buy a bottle of vodka and smoke weed???

Fuck this argument. When you hand over your ID to a cashier he/she reads your date and forget 5 minutes later. If you show your driver license it doesn’t even check your age, for obvious reasons (except in US, but you can buy a gun instead, what a great country!). There is no centralized system, no database, just the fallible human brain on remembering things. There are fucking zero guarantees those service will not retain your information. Zero. Privacy policy? Data privacy laws? Hmpf, we all know every fine is just cost of doing business.

I have nothing to hide!

Good for you, but I do. Yes, I do. It is my right to hide things from other people, companies, governments. I don’t want to live in panopticon state with an AI analyzing every thing I do and scoring me how good citizen I am. If you think giving your documents to Big Tech is ok, if you don’t mind because “I am tracked anyway” (I heard this a lot from relatives), fine, go ahead, scan your face, get used with every small action you do needs to have a bureaucratic stamp seal from someone with much more power than you. But when you support these kind of laws you are taking my agency too. Would be nice to live in a world where you can reveal everything you want and I hide everything I want?

Can’t you stop being so conspirational?

No.

There is no conspiration, but aligment of interests. Meta is a big proponent of age verification because it can squeeze more data from its ~~subjects~~ users to feed the misanthrope Suckerberg. More regulation also protect incumbents. A old cliche that have a name: regulatory capture. Or kicking the ladder, in simple terms. I sincerely hope those people who buy politicians and meddle the public process to pass these kind of regulation to fuck themselves in hell, band of assholes.

But, suppose I accept the argument parents are too dumb to deal with those pests and we need more state intervention in our private lives (“won’t somebody think of the children?”, screams some Karen at the same time she takes pictures of her kids and posts on Instagram so assholes losers like the ones Felca exposed can subvert even innocent images), and therefore I need to accept some restriction in my adult, self-suficient life. The least worse option is a method where I can prove I am adult without reveal any other information to anyone. Do I really want that, a bureocratic step? How this would be done in practice? Should I use a government app (yuck) to redeem “adult tokens”? How can I am sure those tokens are not linkable to my identity? Is this app only running in a blessed iPhone or Android device? Can I use a Linux or any custom operating system or will it be considered not secure enough and therefore, restriced from internet? How can I trust to use an infrastructure made to deceive and track? Can I really trust any double blind zero knowledge magic purpurine mumbo jumbo popping in the streets? Right now, there are no answers. Until then, and specially after then, I will keep lurking and squirming around one of the biggest privacy threats on our online life.

(Il)legal conclusion

The law and then the decree regulating gave me headaches, but this is what I concluded:

If you are an operating system (Windows, Android, macOS, iOS, Linux, embedded systems) or application store (Google Play, Apple Store, F-Droid, Microsoft Store, Ubuntu something) you can be covered (art. 1, art. 12 of the law, regulated by art. 26 of the decree) and must retain age information of the user. Also, you must offer this age signal as an API for information technology providers to consume. At the same time, you cannot send the exact birthday date or other user data (art. 25 of the decree).
If you are not an OS or app store but you offer a product or service (the law doesn’t define what is a product or service, could be this website?), but you are not a social network, you should ask the age from your users and “adequate the experience” (art. 10 of the law, regulated by art. 14 of the decree) if your service is “probable to be accessed by children and adolescentes” (go back to law’s article 1). At the same time, decree’s art. 26 main clause says you need to receive age signal if the content is inapropriate, inadequated or forbidden for under 18, and paragraph 3 of the same article says receiving the age signal from the OS or app store to adequate the experience is sufficient, but art. 15 item 1 says you need to implement yourself. Which one is right?
If you are not an OS or app store but you are information technology provider, and what you offer is forbidden for minors (strictly over 18, basically, pornography), you must block them from using your service, or at least, hide the forbidden content (art. 9 of the law, art. 15 and 17 of the decree). On top, I think you cannot rely on age signals and must use its own verification mechanism (art. 15 item 1 and art. 16 paragraph 1 of the decree).
If you are a social network, you must identify users under 16 and vinculate their profile to a guardian (parents) account (art. 24 of the law). Confusingly, at the same time, it doesn’t need to verify age if it doesn’t show forbidden content to minors (art. 19 of the decree), so I see another conflict here. Looks like they really used AI to create this shit…

What I see in general is a 2 tier system: pornographic websites must verify the age twice (by age signal and their own method). Anything else, receiving those signals is enough, but you must filter out inapropriate content. The law and decree sometimes have conflicting language so it is a bit hard to understand.

Free and open source application stores like F-Droid, Flathub, Snap Store, etc may fall in app stores regulations. Again, incompatible with open source values…

Final thoughts

If you didn’t notice yet, I am opposing age verification in principle because I don’t think I should weaken my privacy and being force to give any information about me for just accessing some website. Also, there is no private and anonymous way to that without leaking your information to some party. To be clear, my opposition is not because I don’t think there are things innappropriated for children and teenagers. I do think certain things shall be inacessible until you are 18 (an arbitrary number, nonetheless). I do think obligating parental controls and mechanisms is a good idea, at least for big companies. However, these are all tools that should be used by a responsible parent and, being sincere, part of Brazil structural problems like high crime and violence is exactly because children grow up in environments lacking moral and ethical references and the ones responsible for them are, well, irresponsible. No amount of technology and tools will change that. Regarding the age verification itself, it is not the interest of powerful parties to allow anonymous age checkings because (being a bit cynical) the goal is to feed in small servings the acceptance of giving your identificaton when using internet services. On top, the law coverage is so ample that makes no exception for small communities, meaning your hobby Mastodon instance or ant creation forum can fall in the scope, doesn’t matter if 10 users or 1 million users, because all definitions are open and subjective. Specially if you have a federated social media instance, where you don’t control all the content that comes in. How can you create something with this burden? If you don’t wanna be bothered, it is better to block Brazil, UK, Australia, etc altogether and pray your jurisdiction doesn’t pass similar laws. Even a site like this one can run afoul of age verification regulation, and although I don’t think I will be bothered, the mere possibility of this happening can have a chilling effect.

If your reading this here, you may be against all those age verification things, so I advice you to arm yourself with tools and knowledge to find the holes around all this bullshit. If you have the power to change the law, even better. If you just came here to read a contrarian opinion, welcome. I just think I should not pay the price when the irresponsible ones are other adults.