hekate/microsoft-systemd-findings-public
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
microsoft-systemd-findings-.../09-microsoft-deep-dive.md
hekate 5850d38f9a Public release, findings
2026-03-23 06:01:08 +00:00

171 lines
10 KiB
Markdown
Raw Permalink Blame History

# Microsoft Deep Dive - Lobbying, Identity Infrastructure, and Age Verification
## Microsoft's Federal Lobbying on Child Safety
| Metric | Value |
|---|---|
| 2024 federal lobbying spend | $10,353,764 |
| Combined Big Tech spend (2024) | $61.5M (Microsoft, Meta, Alphabet, ByteDance, X, Snap) - 13% increase over 2023 |
| Combined 2020-2024 | $260M across the group |
### Bills Microsoft Lobbied On (LD-2 Filings)
| Bill | Description |
|---|---|
| S. 1409 - KOSA | Kids Online Safety Act |
| S. 1418 - COPPA 2.0 | Children and Teens Online Privacy Protection Act |
| H.R. 2732 / S. 1207 - EARN IT Act | Anti-CSAM bill |
| S. 2708 - DETOUR Act | Dark patterns regulation |
Filing descriptions: "Online Child Safety and video gaming issues" and "online privacy and online safety."
### Brad Smith's KOSA Endorsement (January 30, 2024)
Microsoft Vice Chairman and President Brad Smith publicly endorsed KOSA the night before the Senate Judiciary Committee hearing with Big Tech CEOs:
> "We must protect youth safety and privacy online... [KOSA] provides a reasonable, impactful approach to address this issue... Microsoft supports this legislation, encourages its passage."
Microsoft was the second major tech company (after X/Twitter) to publicly back KOSA.
### AB-1043: Notable Absence
Microsoft was NOT listed as a supporter of AB-1043. Google, Meta, and OpenAI were named in Assemblymember Buffy Wicks' press releases. Microsoft neither supported nor opposed publicly.
The bill directly affects Windows, yet Microsoft stayed silent. Analysts note Microsoft's compliance cost would be near-zero since Windows already requires birth date at Microsoft Account creation. The silence is strategically advantageous.
Sources:
- [Microsoft Corp Lobbying - OpenSecrets](https://www.opensecrets.org/orgs/microsoft-corp/lobbying?id=d000000115)
- [Microsoft LD-2 Filing - Senate.gov](https://lda.senate.gov/filings/public/filing/d086e1bd-f619-4bfd-94fb-a357f390ecb8/print/)
- [Microsoft endorses KOSA - Washington Examiner](https://www.washingtonexaminer.com/news/2827717/microsoft-president-endorses-online-child-safety-bill-night-before-big-tech-hearing/)
- [Microsoft, X back KOSA - TechCrunch](https://techcrunch.com/2024/01/31/x-microsoft-kosa-kids-online-safety-bill/)
---
## Microsoft's Child Safety Coalition Memberships
| Organization | Microsoft's Role |
|---|---|
| Family Online Safety Institute (FOSI) | Full member, Board of Directors representative. Kim Sanchez chaired the FOSI Board in 2010 |
| Technology Coalition | Founding member - industry group combating child sexual exploitation |
| WeProtect Global Alliance | Member - multistakeholder org fighting child exploitation |
| Thorn / All Tech Is Human | Committed to "Safety by Design" for generative AI (April 2024) alongside Amazon, Anthropic, Google, Meta, OpenAI |
| NCMEC | Corporate partner - donated PhotoDNA (2009), integrated AMBER Alerts (2006) |
| ICMEC | Donated $1.5M+ to law enforcement training (since 2003), $1M to anti-CSAM campaign (2004), donated PhotoDNA to Project VIC |
| Digital Childhood Alliance | NOT a member - this is Meta's shell advocacy group |
### Gates Foundation to Common Sense Media to AB-1043 Pipeline
- The Gates Foundation (Bill Gates is board chair of Microsoft) is a foundation partner of Common Sense Media
- Common Sense Media's political arm Common Sense Kids Action was a primary advocate for AB-1043 and KOSA
- Assemblymember Buffy Wicks - author of AB-1043 - previously served as Campaign Director for Common Sense Kids Action (starting 2016)
- Ageless Linux analysis: companies like Microsoft that already collect age data face near-zero compliance costs, while open-source competitors face existential implementation burdens
Sources:
- [Microsoft to chair FOSI Board - Microsoft Security Blog (2010)](https://www.microsoft.com/security/blog/2010/09/17/microsoft-to-chair-family-online-safety-institute-board-of-directors/)
- [Microsoft and NCMEC - Microsoft News (2009)](https://news.microsoft.com/2009/12/15/microsoft-and-national-center-for-missing-exploited-children-push-for-action-to-fight-child-pornography/)
- [Global Campaign Against Child Pornography - Microsoft News (2004)](https://news.microsoft.com/2004/04/22/global-campaign-against-child-pornography-is-launched-by-international-centre-for-missing-exploited-children/)
- [Gates Foundation to Common Sense Media Grant](https://www.gatesfoundation.org/about/committed-grants/2021/05/inv031206)
- [Ageless Linux lobbyist analysis](https://agelesslinux.org/lobbyists.html)
---
## Xbox: $20M FTC Fine and UK Age Verification
### FTC COPPA Settlement (June 2023)
Microsoft paid $20 million to the FTC for Xbox COPPA violations. The company illegally collected personal information from 218,000 children under 13 (2017-2021) and retained data for approximately 10 million individuals for at least 5 years without parental consent. The enforcement action likely accelerated Microsoft's investment in proper age verification.
### Xbox UK Age Verification (Deployed July 2025)
| Feature | Detail |
|---|---|
| Partner | Yoti (digital identity) |
| Methods | Selfie/facial age estimation, government ID scan, mobile carrier check, credit card |
| Privacy | Selfies and IDs encrypted and deleted after use. Yoti produces only over/under result |
| Consequence of non-verification | Social features restricted (voice chat, messaging, game invites). Gameplay unaffected |
| Expansion | Plans to expand beyond UK |
Sources:
- [FTC $20M Xbox settlement](https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information)
- [Xbox Age Verification UK - Xbox Wire](https://news.xbox.com/en-us/2025/07/28/xbox-age-verification-uk/)
- [Xbox age verification - The Register](https://www.theregister.com/2025/08/28/xbox_online_safety_act/)
---
## Microsoft Entra Verified ID: Age Verification Infrastructure
### Core Capabilities
Microsoft's managed verifiable credential service, built on W3C standards, explicitly supports age verification:
- `ageOver` claims: Official planning docs recommend abstract age claims (`ageOver 13`, `ageOver 21`, `ageOver 60`) rather than exposing birth dates. Principle: "each claim should meet the need while minimizing the detail."
- Selective disclosure: Proof of age without revealing birth date, with correlation-prevention measures
- FaceCheck: Biometric verification matching real-time selfie against ID document photo. iBeta Level 2 conformant against deepfakes. Photos not stored.
- IDV partners: AU10TIX, LexisNexis Risk Solutions, IDEMIA - government ID checks across 192 countries
- Standards: W3C Verifiable Credentials, W3C DIDs, DIF Sidetree, DIF Presentation Exchange, `did:web` trust system
- Wallet: Microsoft Authenticator app
### Architecture
```
Issuer (gov't, employer, etc.)
└─→ Issues Verifiable Credential (VC) with age claims
└─→ Stored in Microsoft Authenticator (user's wallet)
└─→ User selectively presents age bracket to Verifier (app)
└─→ Verifier validates against issuer's DID
(never sees birth date, only age bracket)
```
### Strategic Positioning
Microsoft is the best-positioned major OS vendor to comply with AB-1043 because:
1. Windows already collects birth dates during Microsoft Account setup (since at least Windows 10)
2. Entra Verified ID already supports `ageOver` claims with selective disclosure
3. Xbox has live multi-method age verification deployed in the UK
4. The $20M FTC settlement created organizational motivation to get it right
5. Microsoft Authenticator already functions as a verifiable credential wallet
### Windows AB-1043 Compliance Path
The proposed approach: "the OS returns a cryptographically signed, non-PII token attesting to a user's bracket. Apps verify the token signature and accept the bracket without ever seeing the underlying birthdate."
Analysts describe the engineering lift as "more procedural than architectural" - the main work involves formalizing an API, synchronizing with Microsoft Store, and updating developer SDKs.
Sources:
- [Microsoft Entra Verified ID overview](https://learn.microsoft.com/en-us/entra/verified-id/decentralized-identifier-overview)
- [Plan your Verified ID issuance solution](https://learn.microsoft.com/en-us/entra/verified-id/plan-issuance-solution)
- [FaceCheck preview - Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2024/02/06/microsoft-entra-verified-id-introduces-face-check-in-preview/)
- [Windows Central - AB-1043 age checks in Windows](https://www.windowscentral.com/microsoft/windows/new-california-law-requires-age-checks-in-windows)
- [Windows News - State-mandated OS age signals](https://windowsnews.ai/article/state-mandated-os-age-signals-how-windows-could-be-forced-to-verify-your-age.404202)
- [Microsoft digital identity strategy whitepaper (PDF)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5cxkr)
---
## Entra Verified ID vs. systemd userdb: No Integration, But Conceptual Parallel
| Feature | systemd userdb | Entra Verified ID |
|---|---|---|
| Format | JSON user records | W3C Verifiable Credentials (JSON-LD) |
| Age data | `birthDate` field (YYYY-MM-DD) | `ageOver` claims (13, 21, 60) |
| Storage | Local filesystem / Varlink | Cloud-based + Authenticator wallet |
| Attestation | None (self-reported) | Cryptographically signed by issuer |
| Privacy | Full birth date exposed | Selective disclosure (bracket only) |
| Portability | `systemd-homed` portable home dirs | Credentials travel with user |
| Governance | systemd BDFL model | W3C/DIF open standards |
No one has built or announced any integration. A convergence path exists, however: systemd could store a locally cached age bracket derived from an Entra Verified ID credential, surfaced via xdg-desktop-portal to applications.
---
## Key Assessment
Microsoft benefits from age verification legislation regardless of whether it actively supports specific bills:
1. Near-zero compliance cost - Windows already collects birth dates
2. Competitive moat - open-source and smaller OS providers face existential implementation burden
3. Identity infrastructure leadership - Entra Verified ID + Authenticator become the de facto standard
4. Employee influence - Boccassi (still at Microsoft) merged the systemd birthDate field that creates the Linux infrastructure
5. Silent beneficiary - by not publicly supporting AB-1043, Microsoft avoids backlash while competitors (Google, Meta) take the heat
Reference in a new issue View git blame Copy permalink