GrapheneOS Rejects Age Verification Laws for OS Users
GrapheneOS developers have officially refused to implement mechanisms for collecting user age data required by new laws in Brazil, California, and Colorado. The OS will remain available without mandatory identification, even if it leads to sales bans in certain regions.
New Age Verification Regulations
Starting March 17, 2026, Brazil's Digital ECA 15.211/2025 law takes effect. It imposes fines of up to 50 million reais (about $9.5 million) on OS providers that fail to implement age verification during installation. Similar requirements are rolling out in the US: California's AB 1043 takes effect on January 1, 2027, while Colorado's SB26-051 was already approved by the senate on March 3.
These laws require OSes to request age or date of birth when creating an account and share the data with app developers. Biometrics or photo ID aren't mandatory—just self-reporting is enough. Critics, including over 400 computer science researchers, highlight the flaws: the data is easy to fake, and the infrastructure enables mass surveillance.
GrapheneOS Stance and Alternatives
GrapheneOS will maintain anonymous access without accounts or personal data. Developers stated that if regional rules block sales of devices running their OS, so be it. The system prioritizes privacy and security, making it popular among users who shun tracking.
Other projects are following suit:
- DB48X (open-source calculator firmware): doesn't implement age checks and has no plans to.
- MidnightBSD: updated its license to ban use in Brazil.
These choices emphasize privacy over regulatory compliance, even if it limits market access.
Partnership with Motorola
On March 2 at MWC, Motorola and GrapheneOS announced a collaboration. The secure OS will expand beyond Google Pixel to Motorola devices in 2027. This opens up the hardened Android fork—with enhanced process isolation, sandboxing, and boot verification—to more users.
For developers, it means testing on new hardware without Pixel ecosystem limits. GrapheneOS builds on upstream AOSP with patches to the kernel, SELinux, and exploit mitigations, and that will carry over to the partnership.
Technical Privacy Features in GrapheneOS
The OS focuses on minimizing the attack surface:
- Enhanced sandboxing: apps are isolated more strictly than in stock Android.
- Vanadium browser: hardened Chromium without Google services.
- Scoped storage and permissions: granular control over data access.
- Hardware attestation: integrity checks without sharing PII.
- Auditor app: for verifying installations.
Rejecting age verification fits right in: no central metadata collection means no correlation attacks.
Key Points
- GrapheneOS won't collect age data, even at the risk of blocks in regions with strict laws.
- Brazil's Digital ECA is already in force, with fines up to 50 million reais for noncompliance.
- California and Colorado are set to introduce similar rules in 2027; critics warn of surveillance risks.
- The Motorola partnership will bring GrapheneOS to new devices in 2027.
- Alternatives like DB48X and MidnightBSD are also ditching compliance.
— Editorial Team
No comments yet.