From the be­gin­ning, our goal has been to build tools that rad­i­cally change what it feels like to work with Python — tools that feel fast, ro­bust, in­tu­itive, and in­te­grated.

Today, we’re tak­ing a step for­ward in that mis­sion by an­nounc­ing that we’ve en­tered into an agree­ment to join OpenAI as part of the Codex

team.

Over the past few years, our tools have grown from zero to hun­dreds of mil­lions of down­loads per month across Ruff, uv, and

ty. The Astral tool­chain has be­come foun­da­tional to mod­ern Python de­vel­op­ment. The num­bers — and the im­pact — went far be­yond my most am­bi­tious ex­pec­ta­tions at every step of the way.

Open source is at the heart of that im­pact and the heart of that story; it sits at the cen­ter of every­thing we do. In line with our phi­los­o­phy and

OpenAI’s own an­nounce­ment, OpenAI will con­tinue sup­port­ing our open source tools af­ter the deal closes. We’ll keep build­ing in the open, along­side our com­mu­nity — and for the broader Python ecosys­tem — just as we have from the start.

I view build­ing tools as an in­cred­i­bly high-lever­age en­deavor. As I wrote in our

launch post three years ago: “If you could make the Python ecosys­tem even 1% more pro­duc­tive, imag­ine how that im­pact would com­pound?”

Today, AI is rapidly chang­ing the way we build soft­ware, and the pace of that change is only ac­cel­er­at­ing. If our goal is to make pro­gram­ming more pro­duc­tive, then build­ing at the fron­tier of AI and soft­ware feels like the high­est-lever­age thing we can do.

It is in­creas­ingly clear to me that Codex is that fron­tier. And by bring­ing Astral’s tool­ing and ex­per­tise to OpenAI, we’re putting our­selves in a po­si­tion to push it for­ward. After join­ing the Codex team, we’ll con­tinue build­ing our open source tools, ex­plore ways they can work more seam­lessly with Codex, and ex­pand our reach to think more broadly about the fu­ture of soft­ware de­vel­op­ment.

Through it all, though, our goal re­mains the same: to make pro­gram­ming more pro­duc­tive. To build tools that rad­i­cally change what it feels like to build soft­ware.

On a per­sonal note, I want to say thank you, first, to the Astral team, who have al­ways put our users first and shipped some of the most beloved soft­ware in the world. You’ve pushed me to be a bet­ter leader and a bet­ter pro­gram­mer. I am so ex­cited to keep build­ing with you.

Second, to our in­vestors, es­pe­cially

Casey Aylward from Accel, who led our Seed and Series A, and Jennifer Li from Andreessen Horowitz, who led our Series B. As a first-time, tech­ni­cal, solo founder, you showed far more be­lief in me than I ever showed in my­self, and I will never for­get that.

And third, to our users. Our tools ex­ist be­cause of you. Thank you for your trust. We won’t let you down.

About Kagi Log in Try for free

“They pulled me out in­stead and be­gan jump­ing on my back,” he said. “Then they took me to a cor­ner and ques­tioned me about who had been in the car. I told them it was my mother and fa­ther. They ac­cused me of ly­ing and started beat­ing me.”

The ver­dict was the ic­ing on the cake.

Afroman did not de­fame Ohio cops in a satir­i­cal mu­sic video that fea­tured footage of them fruit­lessly raid­ing the rap­per’s house, a jury found on Wednesday.

The 51-year-old “Because I Got High” rap­per, whose real name is Joseph Foreman, held up his hands in tri­umph and hugged peo­ple in the court­room af­ter he was found not li­able for defama­tion, or in­va­sion of pri­vacy false light pub­lic­ity.

Foreman was sued by the Adams County Sheriff’s Office over a drug search at his home in August 2022 that re­sulted in no crim­i­nal charges.

The hip hop star wrote the satir­i­cal song “Lemon Pound Cake” and made a mu­sic video with real footage of the raid taken from his home sur­veil­lance cam­eras to raise money for prop­erty dam­age caused dur­ing the search, he has said.

Seven cops with the sher­if­f’s of­fice then sued him in March 2023, al­leg­ing the mu­sic video de­famed them, in­vaded their con­sti­tu­tional pri­vacy, and was an in­ten­tional in­flic­tion of emo­tional dis­tress.

The video fea­tures footage of the cops bust­ing down his door dur­ing, and of one of­fi­cer eye­ing his “mama’s lemon pound­cake” with his gun drawn.

After mak­ing the mu­sic video, Foreman al­legedly con­tin­ued putting up so­cial me­dia posts with names of the of­fi­cers in­volved, the law­suit states.

Several of the posts al­legedly falsely claimed that the cops “stole my money” and were “criminals dis­guised as law en­force­ment,” ac­cord­ing to the suit.

They also falsely stated that the of­fi­cers are “white su­prema­cists,” that Officer Brian Newman “used to do hard drugs” be­fore “snitching” on his friends, and that Officer Lisa Phillips is “biologically male,” ac­cord­ing to the law­suit.

Foreman’s lawyer had ar­gued the song, which he de­scribed as a com­bi­na­tion of com­edy and mu­sic, was sim­ply free speech.

“We see pub­lic of­fi­cials all the time that are made fun of,” lawyer David Osborne said in a clos­ing state­ment Wednesday. “They are go­ing to be held to higher stan­dards, their work is go­ing to be crit­i­cized, that’s just what hap­pens when you’re a pub­lic of­fi­cial.”

“It’s a so­cial com­men­tary on the fact that they did­n’t do things cor­rectly,” he said of the of­fi­cers.

An at­tor­ney for the po­lice, mean­while, de­manded a to­tal of $3.9 mil­lion in dam­ages — di­vided among the seven of­fi­cers in­volved.

“[Foreman]  per­pet­u­ated lies in­ten­tion­ally re­peat­edly over 3 1/2 years on the in­ter­net about these seven brave deputy sher­iffs,” lawyer Robert Klingler said in clos­ing re­marks Wednesday. “[He] knew that what he posted on  the in­ter­net were lies.”

“He says he’s not go­ing to stop…tell him through your ver­dict that he needs to stop,” Klingler added.

“All of this is their fault,” Foreman tes­ti­fied in court Tuesday, ac­cord­ing to WCPO.

“If they had­n’t wrongly raided my house, there would be no law­suit, I would not know their names, they would­n’t be on my home sur­veil­lance sys­tem, and there would be no songs … my money would still be in­tact.”

Zen gives you ac­cess to a hand­picked set of AI mod­els that OpenCode has tested and bench­marked specif­i­cally for cod­ing agents. No need to worry about in­con­sis­tent per­for­mance and qual­ity across providers, use val­i­dated mod­els that work.

The “advanced flow” will be avail­able be­fore ver­i­fi­ca­tion en­force­ment be­gins later this year.

Google is plan­ning big changes for Android in 2026 aimed at com­bat­ing mal­ware across the en­tire de­vice ecosys­tem. Starting in September, Google will be­gin re­strict­ing ap­pli­ca­tion side­load­ing with its de­vel­oper ver­i­fi­ca­tion pro­gram, but not every­one is on board. Android Ecosystem President Sameer Samat tells Ars that the com­pany has been lis­ten­ing to feed­back, and the re­sult is the newly un­veiled ad­vanced flow, which will al­low power users to skip app ver­i­fi­ca­tion.

With its new lim­its on side­load­ing, Android phones will only in­stall apps that come from ver­i­fied de­vel­op­ers. To ver­ify, devs re­leas­ing apps out­side of Google Play will have to pro­vide iden­ti­fi­ca­tion, up­load a copy of their sign­ing keys, and pay a $25 fee. It all seems rather oner­ous for peo­ple who just want to make apps with­out Google’s in­ter­ven­tion.

Apps that come from un­ver­i­fied de­vel­op­ers won’t be in­stal­lable on Android phones—un­less you use the new ad­vanced flow, which will be buried in the de­vel­oper set­tings.

When side­load­ing apps to­day, Android phones alert the user to the “unknown sources” tog­gle in the set­tings, and there’s a flow to help you turn it on. The ver­i­fi­ca­tion by­pass is dif­fer­ent and will not be re­vealed to users. You have to know where this is and proac­tively turn it on your­self, and it’s not a quick process. Here are the steps:

Enable de­vel­oper op­tions by tap­ping the soft­ware build num­ber in About Phone seven times

In Settings > System, open Developer Options and scroll down to “Allow Unverified Packages.”

Flip the tog­gle and tap to con­firm you are not be­ing co­erced

Return to the un­ver­i­fied pack­ages menu at the end of the se­cu­rity de­lay

Scroll past ad­di­tional warn­ings and se­lect ei­ther “Allow tem­porar­ily” (seven days) or “Allow in­def­i­nitely.”

Check the box con­firm­ing you un­der­stand the risks.

You can now in­stall un­ver­i­fied pack­ages on the de­vice by tap­ping the “Install any­way” op­tion in the pack­age man­ager.

The ac­tual leg­work to ac­ti­vate this fea­ture only takes a few sec­onds, but the 24-hour count­down makes it some­thing you can­not do spur of the mo­ment. But why 24 hours? According to Samat, this is de­signed to com­bat the ris­ing use of high-pres­sure so­cial en­gi­neer­ing at­tacks, in which the scam­mer con­vinces the vic­tim they have to in­stall an app im­me­di­ately to avoid se­vere con­se­quences.

You’ll have to wait 24 hours to by­pass ver­i­fi­ca­tion.

You’ll have to wait 24 hours to by­pass ver­i­fi­ca­tion.

“In that 24-hour pe­riod, we think it be­comes much harder for at­tack­ers to per­sist their at­tack,” said Samat. “In that time, you can prob­a­bly find out that your loved one is­n’t re­ally be­ing held in jail or that your bank ac­count is­n’t re­ally un­der at­tack.”

But for peo­ple who are sure they don’t want Google’s ver­i­fi­ca­tion sys­tem to get in the way of side­load­ing any old APK they come across, they don’t have to wait un­til they en­counter an un­ver­i­fied app to get started. You only have to se­lect the “indefinitely” op­tion once on a phone, and you can turn dev op­tions off again af­ter­ward.

According to Samat, Google feels a re­spon­si­bil­ity to Android users world­wide, and things are dif­fer­ent than they used to be with more than 3 bil­lion ac­tive de­vices out there.

“For a lot of peo­ple in the world, their phone is their only com­puter, and it stores some of their most pri­vate in­for­ma­tion,” Samat said. “Over the years, we’ve evolved the plat­form to keep it open while also keep­ing it safe. And I want to em­pha­size, if the plat­form is­n’t safe, peo­ple aren’t go­ing to use it, and that’s a lose-lose sit­u­a­tion for every­one, in­clud­ing de­vel­op­ers.”

But what does that safety look like? Google swears it’s not in­ter­ested in the con­tent of apps, and it won’t be check­ing proac­tively when de­vel­op­ers reg­is­ter. This is only about iden­tity ver­i­fi­ca­tion—you should know when you’re in­stalling an app that it’s not an im­poster and does not come from known pur­vey­ors of mal­ware. If a ver­i­fied de­vel­oper dis­trib­utes mal­ware, they’re un­likely to re­main ver­i­fied. And what is mal­ware? For Samat, mal­ware in the con­text of de­vel­oper ver­i­fi­ca­tion is an ap­pli­ca­tion pack­age that “causes harm to the user’s de­vice or per­sonal data that the user did not in­tend.”

So a rootkit can be mal­ware, but a rootkit you down­loaded in­ten­tion­ally be­cause you want root ac­cess on your phone is not mal­ware, from Samat’s per­spec­tive. Likewise, an al­ter­na­tive YouTube client that by­passes Google’s ads and fea­ture lim­its is­n’t caus­ing the kind of harm that would lead to is­sues with ver­i­fi­ca­tion. But these are just broad strokes; Google has not com­mented on any spe­cific apps.

Google says side­load­ing is­n’t go­ing away, but it is chang­ing.

Google says side­load­ing is­n’t go­ing away, but it is chang­ing.

Google is pro­ceed­ing cau­tiously with the ver­i­fi­ca­tion roll­out, and some de­tails are still spotty. Privacy ad­vo­cates have ex­pressed con­cern that ver­i­fi­ca­tion will cre­ate a data­base that puts in­de­pen­dent de­vel­op­ers at risk of le­gal ac­tion. Samat says that Google does push back on ju­di­cial or­ders for user data when they are im­proper. The com­pany fur­ther sug­gests it’s not in­tend­ing to cre­ate a per­ma­nent list of de­vel­oper iden­ti­ties that would be vul­ner­a­ble to le­gal de­mands. We’ve asked for more de­tail on what data Google re­tains from the ver­i­fi­ca­tion process and for what length of time.

There is also con­cern that de­vel­op­ers liv­ing in sanc­tioned na­tions might be un­able to ver­ify due to the re­quired fee. Google notes that the ver­i­fi­ca­tion process may vary across coun­tries and was not cre­ated specif­i­cally to bar de­vel­op­ers in places like Cuba or Iran. We’ve asked for de­tails on how Google will han­dle these edge cases and will up­date if we learn more.

Rolling out in 2026 and be­yond

Android users in most of the world don’t have to worry about de­vel­oper ver­i­fi­ca­tion yet, but that day is com­ing. In September, ver­i­fi­ca­tion en­force­ment will be­gin in Brazil, Singapore, Indonesia, and Thailand. Impersonation and guided scams are more com­mon in these re­gions, so Google is start­ing there be­fore ex­pand­ing ver­i­fi­ca­tion glob­ally next year. Google has stressed that the ad­vanced flow will be avail­able be­fore the ini­tial roll­out in September.

Google stands by its as­ser­tion that users are 50 times more likely to get mal­ware out­side Google Play than in it. A big part of the gap, Samat says, is Google’s de­ci­sion in 2023 to be­gin ver­i­fy­ing de­vel­oper iden­ti­ties in the Play Store. This pro­vided a frame­work for uni­ver­sal de­vel­oper ver­i­fi­ca­tion. While there are cer­tainly rea­sons Google might like the con­trol ver­i­fi­ca­tion gives it, the Android team has felt real pres­sure from reg­u­la­tors in ar­eas with mal­ware is­sues to ad­dress plat­form se­cu­rity.

“In a lot of coun­tries, there is chat­ter about if this is­n’t safer, then there may need to be reg­u­la­tory ac­tion to lock down more of this stuff,” Samat told Ars Technica. “I don’t think that it’s well un­der­stood that this is a real se­cu­rity con­cern in a num­ber of coun­tries.”

Google has al­ready started de­liv­er­ing the ver­i­fier to de­vices around the world—it’s in­te­grated with Android 16.1, which launched late in 2025. Eventually, the ver­i­fier and ad­vanced flow will be on all cur­rently sup­ported Android de­vices. However, the UI will be con­sis­tent, with Google pro­vid­ing all the com­po­nents and scare screens. So what you see here should be sim­i­lar to what ap­pears on your phone in a few months, re­gard­less of who made it.

Ryan Whitwam is a se­nior tech­nol­ogy re­porter at Ars Technica, cov­er­ing the ways Google, AI, and mo­bile tech­nol­ogy con­tinue to change the world. Over his 20-year ca­reer, he’s writ­ten for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has re­viewed more phones than most peo­ple will ever own. You can fol­low him on Bluesky, where you will see pho­tos of his dozens of me­chan­i­cal key­boards.

Once again, ULA can’t de­liver when the US mil­i­tary needs a satel­lite in or­bit

You’re likely al­ready in­fected with a brain-eat­ing virus you’ve never heard of

NASA wants to know how the launch in­dus­try’s chic new rocket fuel ex­plodes

Rocket Report: Canada makes a ma­jor move, US Space Force says ac­tu­ally, let’s be hasty

Microsoft keeps in­sist­ing that it’s deeply com­mit­ted to the qual­ity of Windows 11

If you have any ques­tions or com­ments re­gard­ing the ac­ces­si­bil­ity of this pub­li­ca­tion, please con­tact us at ac­ces­si­ble@parl.gc.ca.

Skip to Document Navigation

Skip to Document Content

ENGLISHRECOMMENDATIONSUMMARYTABLE OF PROVISIONS1 Alternative Title2 PART 1 Timely Access to Data and Information2 Criminal Code2 Amendments to the Act28 Consequential Amendment to the Foreign Publishers Advertising Services Act29 Mutual Legal Assistance in Criminal Matters Act30 Canadian Security Intelligence Service Act37 Controlled Drugs and Substances Act38 Cannabis Act39 Coordinating Amendments40 Coming into Force41 PART 2 Supporting Authorized Access to Information Act41 Enactment of Act42 Related and Consequential Amendments to the Intelligence Commissioner Act42 Related and Consequential Amendments to the Intelligence Commissioner Act47 Coming into Force48 PART 3 Parliamentary ReviewSCHEDULE

Her Excellency the Governor General rec­om­mends to the House of Commons the ap­pro­pri­a­tion of pub­lic rev­enue un­der the cir­cum­stances, in the man­ner and for the pur­poses set out in a mea­sure en­ti­tled “An Act re­spect­ing law­ful ac­cess”.

Part 1 amends var­i­ous Acts to mod­ern­ize cer­tain pro­vi­sions re­spect­ing the timely gath­er­ing and pro­duc­tion of data and in­for­ma­tion dur­ing an in­ves­ti­ga­tion. It, among other things,

(a)amends the Criminal Code to, among other things,

(i)facilitate ac­cess to ba­sic in­for­ma­tion that will as­sist in the in­ves­ti­ga­tion of fed­eral of­fences through con­fir­ma­tion of ser­vice de­mands given to telecom­mu­ni­ca­tions ser­vice providers or ju­di­cial pro­duc­tion or­ders for the pro­duc­tion of sub­scriber in­for­ma­tion,

(ii)expedite the re­sponse to pro­duc­tion or­ders by short­en­ing the re­view process and clar­ify the abil­ity of peace of­fi­cers and pub­lic of­fi­cers to re­ceive and act on cer­tain in­for­ma­tion that is vol­un­tar­ily pro­vided to them and to ob­tain and act on in­for­ma­tion that is pub­licly avail­able,

(iii)specify cer­tain cir­cum­stances in which peace of­fi­cers and pub­lic of­fi­cers may ob­tain ev­i­dence, in­clud­ing sub­scriber in­for­ma­tion, in ex­i­gent cir­cum­stances,

(iv)allow a jus­tice or judge to au­tho­rize, in a war­rant, a peace of­fi­cer or pub­lic of­fi­cer to ob­tain track­ing data or trans­mis­sion data that re­lates to any thing that is sim­i­lar to a thing in re­la­tion to which data is au­tho­rized to be ob­tained un­der the war­rant and that is un­known at the time the war­rant is is­sued,

(v)provide and clar­ify au­thor­i­ties by which com­puter data may be ex­am­ined, and

(vi)allow a jus­tice or judge to au­tho­rize a peace of­fi­cer or pub­lic of­fi­cer to make a re­quest to a for­eign en­tity that pro­vides telecom­mu­ni­ca­tions ser­vices — or that pro­vides ser­vices by a means of telecom­mu­ni­ca­tion — to the pub­lic to pro­duce trans­mis­sion data or sub­scriber in­for­ma­tion that is in its pos­ses­sion or con­trol;

(c)amends the Mutual Legal Assistance in Criminal Matters Act to al­low the Minister of Justice to au­tho­rize a com­pe­tent au­thor­ity to make arrange­ments for the en­force­ment of a de­ci­sion made by an au­thor­ity of a state or en­tity that is em­pow­ered to com­pel the pro­duc­tion of trans­mis­sion data or sub­scriber in­for­ma­tion that is in the pos­ses­sion or con­trol of a per­son in Canada;

(d)amends the Canadian Security Intelligence Service Act to, among other things,

(i)facilitate ac­cess to ba­sic in­for­ma­tion that will as­sist the Canadian Security Intelligence Service in the per­for­mance of its du­ties and func­tions un­der sec­tion 12 or 16 of that Act through con­fir­ma­tion of ser­vice de­mands given to telecom­mu­ni­ca­tions ser­vice providers and ju­di­cial or­ders against those providers, and

(e)amends the Controlled Drugs and Substances Act and the Cannabis Act to pro­vide and clar­ify au­thor­i­ties by which com­puter data may be ex­am­ined.

Part 2 en­acts the Supporting Authorized Access to Information Act. That Act es­tab­lishes a frame­work for en­sur­ing that elec­tronic ser­vice providers can fa­cil­i­tate the ex­er­cise, by au­tho­rized per­sons, of au­thor­i­ties to ac­cess in­for­ma­tion con­ferred un­der the Criminal Code or the Canadian Security Intelligence Service Act. It also makes re­lated and con­se­quen­tial amend­ments to the Intelligence Commissioner Act.

Part 3 pro­vides for the par­lia­men­tary re­view of Parts 1 and 2.

Available on the House of Commons web­site at the fol­low­ing ad­dress:

An Act re­spect­ing the oblig­a­tions of elec­tronic ser­vice providers in re­la­tion to au­tho­rized ac­cess to in­for­ma­tion

How act or omis­sion may be pro­ceeded with

Payment of Penalties and Alternatives to Payment

His Majesty, by and with the ad­vice and con­sent of the Senate and House of Commons of Canada, en­acts as fol­lows:

This Act may be cited as the Lawful Access Act, .

Subsection () of the is re­placed by the fol­low­ing:

Subsections () to () and sec­tion ap­ply, with any mod­i­fi­ca­tions that the cir­cum­stances re­quire, to a war­rant is­sued un­der this sec­tion.

The por­tion of sub­sec­tion () of the Act be­fore para­graph (a) is re­placed by the fol­low­ing:

A jus­tice who is sat­is­fied by in­for­ma­tion on oath in Form that there are rea­son­able grounds to be­lieve that there is in a build­ing, re­cep­ta­cle or place

Subsection () of the Act is amended by re­plac­ing “a pub­lic of­fi­cer who has been ap­pointed or des­ig­nated to ad­min­is­ter or en­force a fed­eral or provin­cial law and whose du­ties in­clude the en­force­ment of this Act or any other Act of Parliament and who is named in the war­rant” with “a pub­lic of­fi­cer”.

Subsections () to () of the Act are re­placed by the fol­low­ing:

A war­rant is­sued un­der sub­sec­tion () may be ex­e­cuted at any place in Canada. A peace of­fi­cer or pub­lic of­fi­cer who ex­e­cutes the war­rant must have au­thor­ity to act in that ca­pac­ity in the place where the war­rant is ex­e­cuted.

A per­son au­tho­rized un­der to search a com­puter sys­tem in a build­ing or place for data may

(a)use or cause to be used any com­puter sys­tem at the build­ing or place to search any Insertion start Insertion end data con­tained in or avail­able to the com­puter sys­tem; and

Duty of per­son in pos­ses­sion or con­trol

Every per­son who is in pos­ses­sion or con­trol of any build­ing or place in re­spect of which a search is car­ried out un­der shall, on pre­sen­ta­tion of the war­rant, per­mit the per­son car­ry­ing out the search to per­form any of the acts re­ferred to in sub­sec­tion ().

The judge or jus­tice may, in a war­rant is­sued un­der sub­sec­tion (), au­tho­rize the ex­am­i­na­tion of any com­puter data seized un­der the war­rant or con­tained in or avail­able to a com­puter sys­tem seized un­der the war­rant, if the judge or jus­tice is sat­is­fied that there are rea­son­able grounds to be­lieve that the com­puter data will af­ford ev­i­dence with re­spect to the com­mis­sion of the of­fence set out in the in­for­ma­tion.

A judge or jus­tice may at any time is­sue a war­rant au­tho­riz­ing the ex­am­i­na­tion of com­puter data con­tained in or avail­able to a com­puter sys­tem that is spec­i­fied in the war­rant and that is in the pos­ses­sion of a peace of­fi­cer or pub­lic of­fi­cer if the judge or jus­tice is sat­is­fied by in­for­ma­tion on oath in Form that there are rea­son­able grounds to be­lieve that

(a)an of­fence has been or will be com­mit­ted un­der this Act or any other Act of Parliament; and

(b)the com­puter data will af­ford ev­i­dence with re­spect to the com­mis­sion of the of­fence.

The ex­am­i­na­tion of com­puter data un­der a war­rant is­sued un­der this sec­tion may be made sub­ject to any con­di­tions that the judge or jus­tice con­sid­ers ad­vis­able to en­sure that the ex­am­i­na­tion is rea­son­able in the cir­cum­stances.

As soon as fea­si­ble af­ter a war­rant au­tho­riz­ing the ex­am­i­na­tion of com­puter data is is­sued un­der this sec­tion, the per­son who ap­plied for it shall give a copy of it to the fol­low­ing per­sons:

(a)any per­son, if known, who is the law­ful owner of the com­puter sys­tem that con­tains the com­puter data or through which the com­puter data is avail­able or who is law­fully en­ti­tled to the pos­ses­sion of that com­puter sys­tem; and

(b)any per­son who is re­ferred to in the in­for­ma­tion, who is un­der in­ves­ti­ga­tion for the com­mis­sion of the of­fence set out in the war­rant and whose com­puter data is au­tho­rized to be ex­am­ined un­der the war­rant.

However, a copy of the war­rant is not re­quired to be given to a per­son un­der sub­sec­tion () if

(a)the per­son has al­ready re­ceived a copy un­der sec­tion 487.‍093; or

(b)the judge or jus­tice who is­sues the war­rant sets aside the re­quire­ment in re­spect of the per­son, on be­ing sat­is­fied that do­ing so is jus­ti­fied in the cir­cum­stances.

If the judge or jus­tice who is­sues a war­rant un­der this sec­tion au­tho­riz­ing the ex­am­i­na­tion of com­puter data or any other judge or jus­tice hav­ing ju­ris­dic­tion to is­sue such a war­rant is sat­is­fied, on the ba­sis of an af­fi­davit sub­mit­ted in sup­port of an ap­pli­ca­tion to ex­tend the pe­riod within which a copy of the war­rant shall be given un­der sub­sec­tion (), that the in­ter­ests of jus­tice war­rant the grant­ing of the ap­pli­ca­tion, the judge or jus­tice may grant an ex­ten­sion, or a sub­se­quent ex­ten­sion, of the pe­riod, but no ex­ten­sion may ex­ceed three years.

An ex­am­i­na­tion of com­puter data au­tho­rized un­der a war­rant is­sued un­der this sec­tion may take place at any time and at any place in Canada and, for the pur­poses of the ex­am­i­na­tion, a per­son may copy com­puter data at any time and at any place in Canada.

Section of the Act is amended by adding the fol­low­ing af­ter sub­sec­tion ():

The fol­low­ing de­f­i­n­i­tions ap­ply in this sec­tion.

com­puter data has the same mean­ing as in sub­sec­tion 342.‍1(2).‍ (données in­for­ma­tiques)

com­puter sys­tem has the same mean­ing as in sub­sec­tion 342.‍1(2).‍ (ordinateur)

judge means a judge of a su­pe­rior court of crim­i­nal ju­ris­dic­tion or a judge of the Court of Quebec.‍ (juge)

pub­lic of­fi­cer means a pub­lic of­fi­cer who is ap­pointed or des­ig­nated to ad­min­is­ter or en­force a fed­eral or provin­cial law and whose du­ties in­clude the en­force­ment of this Act or any other Act of Parliament.‍ (fonctionnaire pub­lic)

The por­tion of sec­tion of the Act be­fore the first de­f­i­n­i­tion is re­placed by the fol­low­ing:

The fol­low­ing de­f­i­n­i­tions ap­ply in this sec­tion and in sec­tions to  .

Section of the Act is amended by adding the fol­low­ing in al­pha­bet­i­cal or­der:

sub­scriber in­for­ma­tion, in re­la­tion to any client of a per­son who pro­vides ser­vices to the pub­lic or any sub­scriber to the ser­vices of such a per­son, means

(a)information that may be used to iden­tify the sub­scriber or client, in­clud­ing their name, pseu­do­nym, ad­dress, tele­phone num­ber and email ad­dress;

(b)identifiers as­signed to the sub­scriber or client by the per­son, in­clud­ing ac­count num­bers; and

(c)information re­lat­ing to the ser­vices pro­vided to the sub­scriber or client, in­clud­ing

(ii)the pe­riod dur­ing which the ser­vices were pro­vided, and

The Act is amended by adding the fol­low­ing af­ter sec­tion :

A peace of­fi­cer or pub­lic of­fi­cer may make a de­mand in Form to a telecom­mu­ni­ca­tions ser­vice provider re­quir­ing them to con­firm, within the time and in the man­ner spec­i­fied in the de­mand, whether or not they pro­vide or have pro­vided telecom­mu­ni­ca­tion ser­vices to any sub­scriber or client, or to any ac­count or iden­ti­fier, spec­i­fied in the de­mand.

The peace of­fi­cer or pub­lic of­fi­cer may make the de­mand only if they have rea­son­able grounds to sus­pect that

(a)an of­fence has been or will be com­mit­ted un­der this Act or any other Act of Parliament; and

(b)the con­fir­ma­tion that is de­manded will as­sist in the in­ves­ti­ga­tion of the of­fence.

For greater cer­tainty, a de­mand must not be made if the con­fir­ma­tion would dis­close med­ical in­for­ma­tion or in­for­ma­tion that is sub­ject to so­lic­i­tor-client priv­i­lege or the pro­fes­sional se­crecy of ad­vo­cates and no­taries.

A de­mand must not be made to a telecom­mu­ni­ca­tions ser­vice provider that is un­der in­ves­ti­ga­tion for the of­fence re­ferred to in sub­sec­tion ().

The time spec­i­fied in the de­mand is to be not less than hours.

The peace of­fi­cer or pub­lic of­fi­cer who makes the de­mand may im­pose con­di­tions in the de­mand pro­hibit­ing the dis­clo­sure of its ex­is­tence or some or all of its con­tents for a pe­riod not greater than one year af­ter the day on which the de­mand is made. The peace of­fi­cer or pub­lic of­fi­cer may im­pose the con­di­tions only if they have rea­son­able grounds to be­lieve that the dis­clo­sure dur­ing that pe­riod would jeop­ar­dize the con­duct of the in­ves­ti­ga­tion of the of­fence to which the de­mand re­lates.

A peace of­fi­cer or pub­lic of­fi­cer may, at any time, re­voke the de­mand or a con­di­tion by no­tice given to the telecom­mu­ni­ca­tions ser­vice provider.

The telecom­mu­ni­ca­tions ser­vice provider may, within five busi­ness days af­ter the day on which they re­ceive the de­mand, ap­ply in writ­ing, to a judge in the ju­di­cial dis­trict where the de­mand was re­ceived, to re­voke or vary the de­mand.

The telecom­mu­ni­ca­tions ser­vice provider may make an ap­pli­ca­tion un­der sub­sec­tion () only if, be­fore the con­fir­ma­tion is re­quired to be pro­vided, they give no­tice to the peace of­fi­cer or pub­lic of­fi­cer who made the de­mand of the telecom­mu­ni­ca­tions ser­vice provider’s in­ten­tion to make the ap­pli­ca­tion.

The telecom­mu­ni­ca­tions ser­vice provider is not re­quired to pro­vide the con­fir­ma­tion un­til a fi­nal de­ci­sion is made with re­spect to the ap­pli­ca­tion.

The judge in the ju­di­cial dis­trict where the de­mand was re­ceived may re­voke or vary the de­mand if sat­is­fied that

(a)it is un­rea­son­able in the cir­cum­stances to re­quire the ap­pli­cant to pro­vide the con­fir­ma­tion; or

(b)provision of the con­fir­ma­tion would dis­close in­for­ma­tion that is priv­i­leged or oth­er­wise pro­tected from dis­clo­sure by law.

Despite sub­sec­tion (), no de­mand un­der that sub­sec­tion is nec­es­sary for a peace of­fi­cer or pub­lic of­fi­cer to ask a telecom­mu­ni­ca­tions ser­vice provider to vol­un­tar­ily pro­vide the con­fir­ma­tion re­ferred to in that sub­sec­tion if the telecom­mu­ni­ca­tions ser­vice provider is not pro­hib­ited by law from pro­vid­ing it. A telecom­mu­ni­ca­tions ser­vice provider that pro­vides a con­fir­ma­tion in those cir­cum­stances does not in­cur any crim­i­nal or civil li­a­bil­ity for do­ing so.

In this sec­tion, has the same mean­ing as in sub­sec­tion () of the .

The Act is amended by adding the fol­low­ing af­ter sec­tion :

On ap­pli­ca­tion made by a peace of­fi­cer or pub­lic of­fi­cer, a jus­tice or judge may or­der a per­son who pro­vides ser­vices to the pub­lic to pre­pare and pro­duce a doc­u­ment con­tain­ing all the sub­scriber in­for­ma­tion that re­lates to any in­for­ma­tion, in­clud­ing trans­mis­sion data, that is spec­i­fied in the or­der and that is in their pos­ses­sion or con­trol when they re­ceive the or­der.

Before mak­ing the or­der, the jus­tice or judge must be sat­is­fied by in­for­ma­tion on oath in Form that there are rea­son­able grounds to sus­pect that

(a)an of­fence has been or will be com­mit­ted un­der this Act or any other Act of Parliament; and

(b)the sub­scriber in­for­ma­tion is in the per­son’s pos­ses­sion or con­trol and will as­sist in the in­ves­ti­ga­tion of the of­fence.

The or­der is to be in Form

A per­son who is un­der in­ves­ti­ga­tion for the of­fence re­ferred to in sub­sec­tion () is not to be made sub­ject to an or­der.

The Act is amended by adding the fol­low­ing af­ter sec­tion :

On ap­pli­ca­tion made by a peace of­fi­cer or pub­lic of­fi­cer, a jus­tice or judge may au­tho­rize a peace of­fi­cer or pub­lic of­fi­cer to make a re­quest to a for­eign en­tity that pro­vides telecom­mu­ni­ca­tions ser­vices — or that pro­vides ser­vices by a means of telecom­mu­ni­ca­tion — to the pub­lic to pre­pare and pro­duce a doc­u­ment con­tain­ing trans­mis­sion data or sub­scriber in­for­ma­tion that is in the for­eign en­ti­ty’s pos­ses­sion or con­trol when it re­ceives the re­quest.

The jus­tice or judge may au­tho­rize a peace of­fi­cer or pub­lic of­fi­cer to make the pro­duc­tion re­quest only if the jus­tice or judge is sat­is­fied by in­for­ma­tion on oath in Form that there are rea­son­able grounds to sus­pect that

(a)an of­fence has been or will be com­mit­ted un­der this or any other Act of Parliament; and

(b)the trans­mis­sion data or the sub­scriber in­for­ma­tion is in the for­eign en­ti­ty’s pos­ses­sion or con­trol and will as­sist in the in­ves­ti­ga­tion of the of­fence.

The au­tho­riza­tion is to be in Form and must spec­ify that a peace of­fi­cer or pub­lic of­fi­cer must not send a pro­duc­tion re­quest more than days af­ter the day on which the au­tho­riza­tion is granted.

The pro­duc­tion re­quest is to be in Form and may in­clude any in­for­ma­tion that is re­quired by the for­eign en­tity, by the for­eign state in which the for­eign en­tity is lo­cated or un­der an in­ter­na­tional agree­ment or arrange­ment to which Canada and the for­eign state are par­ties.

Subsection () of the Act is re­placed by the fol­low­ing:

On ap­pli­ca­tion made by a peace of­fi­cer or pub­lic of­fi­cer, a jus­tice or judge may make an or­der pro­hibit­ing a per­son from dis­clos­ing the ex­is­tence or some or all of the con­tents of a preser­va­tion de­mand made un­der sec­tion or an or­der made un­der any of sec­tions to dur­ing the pe­riod set out in the or­der.

Subsection () of the Act is re­placed by the fol­low­ing:

An or­der made un­der any of sec­tions and to must re­quire a per­son, fi­nan­cial in­sti­tu­tion or en­tity to pro­duce the doc­u­ment to a peace of­fi­cer or pub­lic of­fi­cer named in the or­der within the time, at the place and in the form spec­i­fied in the or­der.

Subsections () and () of the Act are re­placed by the fol­low­ing:

The decades-long bat­tle over law­ful ac­cess en­tered a new phase yes­ter­day with the in­tro­duc­tion of Bill C-22, the Lawful Access Act. This bill fol­lows the at­tempt last spring to bury law­ful ac­cess pro­vi­sions in Bill C-2, a bor­der mea­sures bill that was the new gov­ern­men­t’s first piece of sub­stan­tive leg­is­la­tion. The law­ful ac­cess el­e­ments of the bill faced an im­me­di­ate back­lash given the in­clu­sion of un­prece­dented rules per­mit­ting wide­spread war­rant­less ac­cess to per­sonal in­for­ma­tion. Those rules were on very shaky con­sti­tu­tional ground and the gov­ern­ment ul­ti­mately de­cided to hit the re­set but­ton on law­ful ac­cess by pro­ceed­ing with the bor­der mea­sures in a dif­fer­ent bill.

Lawful ac­cess never dies, how­ever. Bill C-22 cover the two main as­pects of law­ful ac­cess: law en­force­ment ac­cess to per­sonal in­for­ma­tion held by com­mu­ni­ca­tion ser­vice providers such as ISPs and wire­less providers and the de­vel­op­ment of sur­veil­lance and mon­i­tor­ing ca­pa­bil­i­ties within Canadian net­works. In fact, the bill is sep­a­rated into two with the first half deal­ing with “timely ac­cess to data and in­for­ma­tion” and the sec­ond es­tab­lish­ing the Supporting Authorized Access to Information Act (SAAIA).

I an­tic­i­pate pro­vid­ing ex­ten­sive cov­er­age of the bill on both this blog and my pod­cast. My ini­tial take is that the ac­cess to data and in­for­ma­tion piece of the bill is much im­proved. The ear­lier Bill C-2 it­er­a­tion of a new in­for­ma­tion de­mand power was as­ton­ish­ing in its breadth (covering far more than just com­mu­ni­ca­tions providers by tar­get­ing any­one who pro­vides a ser­vice in Canada in­clud­ing physi­cians and lawyers) and de­mands for war­rant­less dis­clo­sure of per­sonal in­for­ma­tion in di­rect con­tra­dic­tion to re­cent Supreme Court of Canada ju­rispru­dence.

The gov­ern­ment has scrapped that ap­proach by shift­ing to a new “confirmation of ser­vice” de­mand power. This would al­low law en­force­ment to de­mand that tele­com providers (not any ser­vice provider) con­firm whether they pro­vide ser­vice to a par­tic­u­lar per­son. The other sub­scriber in­for­ma­tion would be sub­ject to a new pro­duc­tion or­der re­viewed and ap­proved by a judge. This would ad­dress the long­stand­ing po­lice com­plaint that they may do con­sid­er­able work seek­ing in­for­ma­tion about a sub­scriber at a provider only to learn that the per­son is­n’t a cus­tomer and they start over with some­one else.

These new rules con­tain other or­ders and rules on vol­un­tary dis­clo­sure, chal­leng­ing the re­quests, ex­i­gent cir­cum­stances, and for­eign or­ders for the same in­for­ma­tion. I plan to un­pack these rules in the com­ing weeks. For ex­am­ple, there are con­cerns about the thresh­olds that the pro­duc­tion or­ders en­vi­sion, namely the low “reasonable grounds to sus­pect” stan­dard. However, the main take­away here is that the gov­ern­ment has sig­nif­i­cantly lim­ited the scope of war­rant­less in­for­ma­tion de­mand pow­ers, now fo­cus­ing solely on telecom­mu­ni­ca­tions providers and whether they pro­vide ser­vice to a par­tic­u­lar in­di­vid­ual. Access to more per­sonal in­for­ma­tion will re­quire over­sight. That’s a ma­jor con­ces­sion and high­lights how Bill C-2 was too broad, dan­ger­ous from a pri­vacy per­spec­tive, and un­likely to pass con­sti­tu­tional muster.

If that is the good news, the bad news is very bad. The SAAIA, which es­tab­lishes new re­quire­ments for com­mu­ni­ca­tions providers to ac­tively work with law en­force­ment on their sur­veil­lance and mon­i­tor­ing ca­pa­bil­i­ties are largely un­changed from Bill C-2. In fact, there are el­e­ments in­volv­ing data re­ten­tion that are even worse. The gov­ern­ment will point to in­creased over­sight — min­is­te­r­ial or­ders must now be ap­proved by the Intelligence Commissioner — but the con­cerns re­gard­ing sur­veil­lance ca­pa­bil­i­ties, se­cu­rity vul­ner­a­bil­i­ties, se­crecy, and cross-bor­der data shar­ing re­main.

The SAAIA has huge im­pli­ca­tions for net­work providers as they en­vi­sion pro­vid­ing law en­force­ment with di­rect ac­cess to provider net­works to test ca­pa­bil­i­ties for data ac­cess and in­ter­cep­tion. The bill in­tro­duces a new term — “electronic ser­vice provider” — that is pre­sum­ably de­signed to ex­tend be­yond tele­com and Internet providers by scop­ing in Internet plat­forms (Google, Meta, etc.). Those in­ter­na­tional ser­vices are now key play­ers in elec­tronic com­mu­ni­ca­tions (think Gmail or WhatsApp), though some may be be­yond this form of reg­u­la­tion (eg. Signal if you don’t in­ad­ver­tently add peo­ple to chat groups).

The de­f­i­n­i­tion of an ESP is:

a per­son that, in­di­vid­u­ally or as part of a group, pro­vides an elec­tronic ser­vice, in­clud­ing for the pur­pose of en­abling com­mu­ni­ca­tions, and that
(a) pro­vides the ser­vice to per­sons in Canada; or

(b) car­ries on all or part of its busi­ness ac­tiv­i­ties in Canada.‍

“a ser­vice, or a fea­ture of a ser­vice, that in­volves the cre­ation, record­ing, stor­age, pro­cess­ing, trans­mis­sion, re­cep­tion, emis­sion or mak­ing avail­able of in­for­ma­tion in elec­tronic, dig­i­tal or any other in­tan­gi­ble form by an elec­tronic, dig­i­tal, mag­netic, op­ti­cal, bio­met­ric, acoustic or other tech­no­log­i­cal means, or a com­bi­na­tion of any such means.”

All elec­tronic ser­vice providers are sub­ject to oblig­a­tions to “provide all rea­son­able as­sis­tance, in any pre­scribed time and man­ner, to per­mit the as­sess­ment or test­ing of any de­vice, equip­ment or other thing that may en­able an au­tho­rized per­son to ac­cess in­for­ma­tion.” Moreover, all are re­quired to keep such re­quests se­cret.

But be­yond the ba­sic oblig­a­tions, the gov­ern­ment will iden­tify “core providers” who will be sub­ject to ad­di­tional reg­u­la­tions. These may in­clude:

(a) the de­vel­op­ment, im­ple­men­ta­tion, as­sess­ment, test­ing and main­te­nance of op­er­a­tional and tech­ni­cal ca­pa­bil­i­ties, in­clud­ing ca­pa­bil­i­ties re­lated to ex­tract­ing and or­ga­niz­ing in­for­ma­tion that is au­tho­rized to be ac­cessed and to pro­vid­ing ac­cess to such in­for­ma­tion to au­tho­rized per­sons;

(b) the in­stal­la­tion, use, op­er­a­tion, man­age­ment, as­sess­ment, test­ing and main­te­nance of any de­vice, equip­ment or other thing that may en­able an au­tho­rized per­son to ac­cess in­for­ma­tion;

(c) notices to be given to the Minister or other per­sons, in­clud­ing with re­spect to any ca­pa­bil­ity re­ferred to in para­graph (a) and any de­vice, equip­ment or other thing re­ferred to in para­graph (b); and

(d) the re­ten­tion of cat­e­gories of meta­data — in­clud­ing trans­mis­sion data, as de­fined in sec­tion 487.‍011 of the Crim­i­nal Code — for rea­son­able pe­ri­ods of time not ex­ceed­ing one year.

Note that the re­ten­tion of meta­data found in (d) is new. It was not in Bill C-2, so this bill ac­tu­ally ex­pands the scope of oblig­a­tions. The new bill con­tains some lim­its on data re­ten­tion:

4) Paragraph (2)‍(d) does not au­tho­rize the mak­ing of reg­u­la­tions that re­quire core providers to re­tain in­for­ma­tion that would re­veal

(a) the con­tent — that is to say the sub­stance, mean­ing or pur­pose — of in­for­ma­tion trans­mit­ted in the course of an elec­tronic ser­vice;

(b) a per­son’s web brows­ing his­tory; or

(c) a per­son’s so­cial me­dia ac­tiv­i­ties.

The bill also re­tains an ex­cep­tion for sys­temic vul­ner­a­bil­i­ties, which states:

A core provider is not re­quired to com­ply with a pro­vi­sion of a reg­u­la­tion made un­der sub­sec­tion (2), with re­spect to an elec­tronic ser­vice, if com­pli­ance with that pro­vi­sion would re­quire the provider to in­tro­duce a sys­temic vul­ner­a­bil­ity re­lated to that ser­vice or pre­vent the provider from rec­ti­fy­ing such a vul­ner­a­bil­ity.

There re­main con­cerns that is in­suf­fi­cient and that there are real risks that net­works may be made less se­cure by virtue of these rules with the changes kept se­cret from the pub­lic. Moreover, as Kate Robertson of the Citizen Lab has dis­cussed (including on the Law Bytes pod­cast), many of these rules ap­pear geared to­ward global in­for­ma­tion shar­ing, in­clud­ing com­pli­ance with the Second Additional Protocol to the Budapest Convention (2AP) and the CLOUD Act.

There is much to un­pack with this sec­tion in­clud­ing the abil­ity to chal­lenge or­ders, the se­crecy as­so­ci­ated with the sys­tem, over­sight, and costs. I plan to cover these as well but for the mo­ment it is suf­fi­cient to con­clude that Bill C-22’s SAAIA en­vi­sions a sig­nif­i­cant change to how gov­ern­ment agen­cies in­ter­act with Canadian com­mu­ni­ca­tions net­works and net­work providers rais­ing enor­mous pri­vacy and civil lib­er­ties con­cerns. The gov­ern­ment may have taken war­rant­less ac­cess to sub­scriber in­for­ma­tion off the table, but there re­mains se­ri­ous pri­vacy con­cerns as­so­ci­ated with its law­ful ac­cess plans.

Rule 1. You can’t tell where a pro­gram is go­ing to spend its time. Bottlenecks oc­cur in sur­pris­ing places, so don’t try to sec­ond guess and put in a speed hack un­til you’ve proven that’s where the bot­tle­neck is.

Rule 2. Measure. Don’t tune for speed un­til you’ve mea­sured, and even then don’t un­less one part of the code over­whelms the rest.

Rule 3. Fancy al­go­rithms are slow when n is small, and n is usu­ally small. Fancy al­go­rithms have big con­stants. Until you know that n is fre­quently go­ing to be big, don’t get fancy. (Even if n does get big, use Rule 2 first.)

Rule 4. Fancy al­go­rithms are bug­gier than sim­ple ones, and they’re much harder to im­ple­ment. Use sim­ple al­go­rithms as well as sim­ple data struc­tures.

Rule 5. Data dom­i­nates. If you’ve cho­sen the right data struc­tures and or­ga­nized things well, the al­go­rithms will al­most al­ways be self-ev­i­dent. Data struc­tures, not al­go­rithms, are cen­tral to pro­gram­ming.

Pike’s rules 1 and 2 re­state Tony Hoare’s fa­mous maxim “Premature op­ti­miza­tion is the root of all evil.”

Ken Thompson rephrased Pike’s rules 3 and 4 as “When in doubt, use brute force.”.

Rules 3 and 4 are in­stances of the de­sign phi­los­o­phy KISS.

Rule 5 was pre­vi­ously stated by Fred Brooks in The Mythical Man-Month. Rule 5 is of­ten short­ened to “write stu­pid code that uses smart ob­jects”.

Reddit re­searcher ex­poses Meta’s $2B cam­paign to force Apple and Google into build­ing sur­veil­lance sys­tems while ex­empt­ing its own plat­forms

Reddit re­searcher ex­poses Meta’s $2B cam­paign to force Apple and Google into build­ing sur­veil­lance sys­tems while ex­empt­ing its own plat­forms

A Reddit re­searcher just ex­posed how Meta fun­neled over $2 bil­lion through shad­owy non­prof­its to push age ver­i­fi­ca­tion laws that would force Apple and Google to build sur­veil­lance in­fra­struc­ture into every de­vice—while con­ve­niently ex­empt­ing Meta’s own plat­forms from the same re­quire­ments.

The in­ves­ti­ga­tion by GitHub user “upper-up” traces fund­ing through or­ga­ni­za­tions like the Digital Childhood Alliance (DCA), which launched December 18, 2024, and tes­ti­fied for Utah’s SB-142 just days later. Bloomberg and Deseret News re­ported Meta’s back­ing of DCA, part of a $70 mil­lion frag­mented su­per PAC strat­egy de­signed to evade FEC track­ing. Traditional elec­tion spend­ing dis­clo­sure re­quire­ments don’t ap­ply to this frag­mented ap­proach.

The tech­ni­cal re­al­ity hits harder than pol­icy ab­strac­tions. These bills man­date OS-level APIs that apps can query for age data—cre­at­ing a per­ma­nent iden­tity layer baked into your phone’s core func­tions. Meta’s Horizon OS for Quest VR al­ready im­ple­ments this in­fra­struc­ture through Family Center con­trols. Now they want Apple and Google to build sim­i­lar sys­tems that every app can ac­cess, turn­ing age ver­i­fi­ca­tion into per­sis­tent de­vice fin­ger­print­ing.

Here’s where the lob­by­ing gets sur­gi­cal. The pro­posed laws ham­mer Apple’s App Store and Google Play with com­pli­ance re­quire­ments but re­port­edly spare so­cial me­dia plat­forms—Meta’s core busi­ness. It’s like Spotify lob­by­ing for stream­ing reg­u­la­tions that only ap­ply to Apple Music. The “child safety” rhetoric masks a com­pet­i­tive strat­egy that shifts li­a­bil­ity from plat­forms to op­er­at­ing sys­tem mak­ers.

The European Union’s Digital Identity Wallet takes a rad­i­cally dif­fer­ent ap­proach. Zero-knowledge proofs let you ver­ify age with­out re­veal­ing per­sonal data—like show­ing you’re over 18 with­out dis­clos­ing your birth­date or iden­tity de­tails. It’s open-source, self-hostable, and only ap­plies to large plat­forms while ex­empt­ing FOSS and small en­ti­ties. Meanwhile, US law­mak­ers seem ready to let Meta bam­boo­zle them into com­plete pri­vacy an­ni­hi­la­tion.

Your de­vice’s trust­wor­thi­ness hangs in the bal­ance. These laws could force every Linux dis­tri­b­u­tion and pri­vacy-fo­cused Android fork to im­ple­ment iden­tity ver­i­fi­ca­tion or face le­gal li­a­bil­ity. The choice be­tween sur­veil­lance-free com­put­ing and reg­u­la­tory com­pli­ance is com­ing faster than you think.