Felca Law may require age verification on Linux

A Felca Law has already been discussed here on Soberano. But one of its consequences has not yet received the attention it deserves: the age verification obligation which, in theory, would extend to operating systems - including Linux.

The law comes into force on March 17th, 2026. And the text, The new system, which is deliberately vague, opens up loopholes that worry not only ordinary users, but also software developers in Brazil and abroad.

Fines of up to R$ 50,000,000.00 for non-compliance

Law 15.211 stipulates that information technology products or services “aimed at children and adolescents or access likely by them” must adopt age verification mechanisms. Failure to comply could result in fines of up to R$ 50 million.

The problem lies precisely in this elastic definition. Who determines what is “likely to be accessed” by minors? The law doesn't say. This means that, in practice, the government can interpret the rule in an expansive way whenever it is politically convenient - just as we have seen happen in other situations in Brazil.

Sovereign Pay

Your pocket Swiss bank.

Copper via PIX anonymous and receive it at Bitcoin, dollar or balance in international card.

Knowing Only 9 vacancies

Would a general-purpose operating system such as Ubuntu, Fedora or Linux Mint fall into this category? The law doesn't rule it out. And it is this ambiguity that is stirring up forums, developer lists and the Brazilian tech community.

The question circulate on Brazilian Reddit is straightforward: will any Linux distro implement a prompt asking your age? And if it doesn't, will the government try to ban Linux?

The most sensible answer, shared by more experienced users in the discussion, is that there is no clear responsible legal subject in the case of community Linux distributions.

The law was written with large platforms in mind - social networks, app stores, streams. Holding the Linux kernel or a distro maintained by volunteers around the world responsible would be legally unfeasible e technically absurd.

But the debate is not unfounded. And the fact that it is happening at all reveals the most damaging side effect of vague laws: the fear and self-censorship they generate even before any inspection.

What's happening outside Brazil

The problem is not exclusively Brazilian. In March 1st, 2026, Aaron Rainbolt, a developer who contributes to the Kicksecure and Whonix projects - Linux distributions focused on privacy and security -, published an open letter on the official Ubuntu mailing list exposing a similar dilemma.

The reason: a law passed in California which obliges operating system vendors to implement an age verification API, scheduled to come into force on January 1st, 2027. The state of Colorado is working on similar legislation.

American law defines four age groups (under 13, between 13 and 16, between 16 and 18, and over 18) and requires the operating system to collect this information when setting up the user account, making it available via API so that application stores and websites can consult it.

Rainbolt was clear in the title of the message: “the unfortunate need for an age verification API for legal compliance reasons.”

It proposes a standardized D-Bus interface that different distributions could implement in different ways, while preserving privacy as much as possible: storing only the age range, not the full date of birth, and without exposing the data to unauthorized applications.

But even this minimalist proposal raises important questions: who guarantees that the information stored will not be accessed improperly? How do you deal with installations on servers, virtual machines or environments without a graphical interface? And, more fundamentally, who checks that the declared age is true?

Rainbolt's honest answer: no one. The developer himself recognizes that there is nothing in the law that prevents users from simply declaring that they are 18 - making the whole mechanism technically useless for the stated purpose of protecting children, but useful for something else: standardize the collection of identity data at the operating system level.

The pattern repeats itself

We've already written here about Felca Law and what happened in the UK after the Online Safety Act. The narrative is always the same: protect children. The result is also usually the same: surveillance infrastructure built at the expense of everyone's privacy, with questionable effectiveness in actually protecting minors.

In Texas, following the passing of a similar law requiring identity verification to access adult content, demand for VPNs grew by 234.8%. In the UK, 266 identity verification companies earned the equivalent of R$ 16 billion in 2025.

The law doesn't protect children. It creates a market - and expands the state's reach into people's digital lives. Learn more about this by watching the video below:

What changes in practice for you

For now, no mainstream Linux distribution has announced plans to implement age verification in response to Brazilian law. And monitoring community operating systems is, in practice, unfeasible.

The real risk in the short term is not that Linux will be blocked. It's something else: that large platforms - app stores, streaming services, news sites - start requiring age verification integrated into the operating system in order to grant access. And that, in order to use these services, you need a system that “collaborates” with this infrastructure.

Linux, in this scenario, could become not just a choice of operating system, but a choice of politics - the option for those who prefer not to have their age registered at kernel level, not to have access mediated by a government API, not to have their identity linked to their device.

It's the same logic as Bitcoin in relation to the traditional financial system. When the siege tightens, the sovereign tools and open gain a new meaning.

What to do now

The law comes into force on the 17th. Some practical measures:

• Follow the legislative debateThe law is vague enough to be interpreted in very different ways. The regulations that come afterwards will define the real limits.
• Use LinuxIn addition to all the technical advantages, open source operating systems are transparent about what they collect - and you can check this.
• Invest in privacy toolsVPNs, privacy-focused browsers and networks such as Tor are gaining relevance as compulsory traceability advances.
• Keep an eye out for privacy-focused distrosprojects like Whonix and Kicksecure, which are at the forefront of this international debate, were created for scenarios exactly like this.

The government believes it is building protection. What it is actually building is infrastructure. And infrastructure built today with good intentions can be operated tomorrow with very different intentions.

Update: it's already started

MidnightBSD, an operating system similar to Linux, updated its license this Sunday (8) to specifically prohibit use in additional regions affected by the new “Age Verification for Operating Systems” laws - Brazil, California, Colorado, New York and Illinois.

Important: We have revised our license to include additional jurisdictions implementing the age verification laws. Residents of Brazil are no longer authorized to use MidnightBSD.

We will not implement ID checks as Brazil requires (not just attesting age) pic.twitter.com/fWQSmYdMmk

- MidnightBSD (@midnightbsd) March 8, 2026

“Residents of any countries, states or territories that require age verification for operating systems are not permitted to use MidnightBSD. Currently, this list includes Brazil as of March 17, 2026, California as of January 1, 2027, and will include Colorado, Illinois and New York, provided they pass the currently proposed legislation. We urge users to write to their representatives to have these laws repealed or replaced.”, wrote Lucas Holt, lead developer of MidnightBSD, on Github.