hekate/microsoft-systemd-findings-public
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
microsoft-systemd-findings-.../09-microsoft-deep-dive.md
hekate 5850d38f9a Public release, findings
2026-03-23 06:01:08 +00:00

10 KiB
Raw Permalink Blame History

Microsoft Deep Dive - Lobbying, Identity Infrastructure, and Age Verification

Microsoft's Federal Lobbying on Child Safety

Metric Value
2024 federal lobbying spend $10,353,764
Combined Big Tech spend (2024) $61.5M (Microsoft, Meta, Alphabet, ByteDance, X, Snap) - 13% increase over 2023
Combined 2020-2024 $260M across the group

Bills Microsoft Lobbied On (LD-2 Filings)

Bill Description
S. 1409 - KOSA Kids Online Safety Act
S. 1418 - COPPA 2.0 Children and Teens Online Privacy Protection Act
H.R. 2732 / S. 1207 - EARN IT Act Anti-CSAM bill
S. 2708 - DETOUR Act Dark patterns regulation

Filing descriptions: "Online Child Safety and video gaming issues" and "online privacy and online safety."

Brad Smith's KOSA Endorsement (January 30, 2024)

Microsoft Vice Chairman and President Brad Smith publicly endorsed KOSA the night before the Senate Judiciary Committee hearing with Big Tech CEOs:

"We must protect youth safety and privacy online... [KOSA] provides a reasonable, impactful approach to address this issue... Microsoft supports this legislation, encourages its passage."

Microsoft was the second major tech company (after X/Twitter) to publicly back KOSA.

AB-1043: Notable Absence

Microsoft was NOT listed as a supporter of AB-1043. Google, Meta, and OpenAI were named in Assemblymember Buffy Wicks' press releases. Microsoft neither supported nor opposed publicly.

The bill directly affects Windows, yet Microsoft stayed silent. Analysts note Microsoft's compliance cost would be near-zero since Windows already requires birth date at Microsoft Account creation. The silence is strategically advantageous.

Sources:

Microsoft's Child Safety Coalition Memberships

Organization Microsoft's Role
Family Online Safety Institute (FOSI) Full member, Board of Directors representative. Kim Sanchez chaired the FOSI Board in 2010
Technology Coalition Founding member - industry group combating child sexual exploitation
WeProtect Global Alliance Member - multistakeholder org fighting child exploitation
Thorn / All Tech Is Human Committed to "Safety by Design" for generative AI (April 2024) alongside Amazon, Anthropic, Google, Meta, OpenAI
NCMEC Corporate partner - donated PhotoDNA (2009), integrated AMBER Alerts (2006)
ICMEC Donated $1.5M+ to law enforcement training (since 2003), $1M to anti-CSAM campaign (2004), donated PhotoDNA to Project VIC
Digital Childhood Alliance NOT a member - this is Meta's shell advocacy group

Gates Foundation to Common Sense Media to AB-1043 Pipeline

  • The Gates Foundation (Bill Gates is board chair of Microsoft) is a foundation partner of Common Sense Media
  • Common Sense Media's political arm Common Sense Kids Action was a primary advocate for AB-1043 and KOSA
  • Assemblymember Buffy Wicks - author of AB-1043 - previously served as Campaign Director for Common Sense Kids Action (starting 2016)
  • Ageless Linux analysis: companies like Microsoft that already collect age data face near-zero compliance costs, while open-source competitors face existential implementation burdens

Sources:

Xbox: $20M FTC Fine and UK Age Verification

FTC COPPA Settlement (June 2023)

Microsoft paid $20 million to the FTC for Xbox COPPA violations. The company illegally collected personal information from 218,000 children under 13 (2017-2021) and retained data for approximately 10 million individuals for at least 5 years without parental consent. The enforcement action likely accelerated Microsoft's investment in proper age verification.

Xbox UK Age Verification (Deployed July 2025)

Feature Detail
Partner Yoti (digital identity)
Methods Selfie/facial age estimation, government ID scan, mobile carrier check, credit card
Privacy Selfies and IDs encrypted and deleted after use. Yoti produces only over/under result
Consequence of non-verification Social features restricted (voice chat, messaging, game invites). Gameplay unaffected
Expansion Plans to expand beyond UK

Sources:

Microsoft Entra Verified ID: Age Verification Infrastructure

Core Capabilities

Microsoft's managed verifiable credential service, built on W3C standards, explicitly supports age verification:

  • ageOver claims: Official planning docs recommend abstract age claims (ageOver 13, ageOver 21, ageOver 60) rather than exposing birth dates. Principle: "each claim should meet the need while minimizing the detail."
  • Selective disclosure: Proof of age without revealing birth date, with correlation-prevention measures
  • FaceCheck: Biometric verification matching real-time selfie against ID document photo. iBeta Level 2 conformant against deepfakes. Photos not stored.
  • IDV partners: AU10TIX, LexisNexis Risk Solutions, IDEMIA - government ID checks across 192 countries
  • Standards: W3C Verifiable Credentials, W3C DIDs, DIF Sidetree, DIF Presentation Exchange, did:web trust system
  • Wallet: Microsoft Authenticator app

Architecture

Issuer (gov't, employer, etc.)
  │
  └─→ Issues Verifiable Credential (VC) with age claims
       │
       └─→ Stored in Microsoft Authenticator (user's wallet)
            │
            └─→ User selectively presents age bracket to Verifier (app)
                 │
                 └─→ Verifier validates against issuer's DID
                      (never sees birth date, only age bracket)

Strategic Positioning

Microsoft is the best-positioned major OS vendor to comply with AB-1043 because:

  1. Windows already collects birth dates during Microsoft Account setup (since at least Windows 10)
  2. Entra Verified ID already supports ageOver claims with selective disclosure
  3. Xbox has live multi-method age verification deployed in the UK
  4. The $20M FTC settlement created organizational motivation to get it right
  5. Microsoft Authenticator already functions as a verifiable credential wallet

Windows AB-1043 Compliance Path

The proposed approach: "the OS returns a cryptographically signed, non-PII token attesting to a user's bracket. Apps verify the token signature and accept the bracket without ever seeing the underlying birthdate."

Analysts describe the engineering lift as "more procedural than architectural" - the main work involves formalizing an API, synchronizing with Microsoft Store, and updating developer SDKs.

Sources:

Entra Verified ID vs. systemd userdb: No Integration, But Conceptual Parallel

Feature systemd userdb Entra Verified ID
Format JSON user records W3C Verifiable Credentials (JSON-LD)
Age data birthDate field (YYYY-MM-DD) ageOver claims (13, 21, 60)
Storage Local filesystem / Varlink Cloud-based + Authenticator wallet
Attestation None (self-reported) Cryptographically signed by issuer
Privacy Full birth date exposed Selective disclosure (bracket only)
Portability systemd-homed portable home dirs Credentials travel with user
Governance systemd BDFL model W3C/DIF open standards

No one has built or announced any integration. A convergence path exists, however: systemd could store a locally cached age bracket derived from an Entra Verified ID credential, surfaced via xdg-desktop-portal to applications.

Key Assessment

Microsoft benefits from age verification legislation regardless of whether it actively supports specific bills:

  1. Near-zero compliance cost - Windows already collects birth dates
  2. Competitive moat - open-source and smaller OS providers face existential implementation burden
  3. Identity infrastructure leadership - Entra Verified ID + Authenticator become the de facto standard
  4. Employee influence - Boccassi (still at Microsoft) merged the systemd birthDate field that creates the Linux infrastructure
  5. Silent beneficiary - by not publicly supporting AB-1043, Microsoft avoids backlash while competitors (Google, Meta) take the heat