u/Euhuntix

xPrivo is now officially live on the Play Store. 

To celebrate this we have hidden an incredible prize right inside our Android app, and it could be yours! Download the app from the Google Play Store, start exploring, and keep your eyes peeled.

Pay close attention to your conversations with our AI assistant. At any given moment, a highly rare, secret link will randomly appear at the very bottom of a chat reply.

The Prize: A brand new Nothing CMF Phone 1 (e/OS ready)!

How to Play & Win:

• Chat Naturally: The secret message is completely unrelated to your conversation topics. Just use the app as you normally would!
• Pure Luck: The winning link is triggered entirely at random.
• Fair Play for All: The AI assistant is completely unaware of the secret code. This means clever "prompt engineering" will not increase your chances and everyone has an absolutely equal shot at winning.

The clock is ticking, and the hunt officially closes on May 22nd. Will you be the lucky user to uncover the secret? 

Download now start chatting and start your hunt:

https://play.google.com/store/apps/details?id=com.xprivo.lux

Open to everyone who can download from the Play Store! No Reddit account is required to participate. Please note that this giveaway is not affiliated with Nothing Phone.

California's Digital Age Assurance Act, Assembly Bill 1043, was signed into law by Governor Gavin Newsom in October 2025 and takes effect January 1, 2027. It requires every operating system provider to collect a user's age at account setup and transmit that data in real time to any app developer who requests it via a standardised API. The law splits users into four age brackets: under 13, 13 to 16, 16 to 18, and 18 or above. The definition of "operating system provider" is written broadly enough to cover not just Microsoft, Apple and Google but every Linux distribution, FreeBSD, SteamOS and any other general-purpose OS. Colorado and Illinois have near-identical bills moving through their own legislatures. Similar proposals are active in New York and Brazil. As of this month, roughly half of all US states have some form of age verification law on the books, nine of which were passed in 2025 alone.

The law was designed with Apple and Google in mind. Enforcing it against a Linux distribution maintained by a community of volunteers in multiple countries with no central legal entity is a structurally different problem, and nobody in the state legislatures appears to have thought it through before writing the text.

The open source community is responding in three distinct ways:

-System76, the Colorado-based Linux hardware company, spent months lobbying the Colorado legislature directly. Their effort worked. Carl Richell, System76's founder, confirmed last month that Colorado's SB26-051 has been amended to explicitly exempt open source operating systems, applications, code repositories including GitHub and GitLab, and container platforms including Docker and Podman from the requirements. The amendment does not name Linux specifically; instead it describes software distributed under licences that allow recipients to copy, redistribute and modify freely without restriction from the provider. That wording covers essentially the entire FOSS ecosystem. The bill has passed a House committee but is not yet signed into law.

-MX Linux, one of the most widely used community distributions, has taken the clearest public stance of any distro team. In its weekly update the project stated directly: "No one on the team at MX wants to implement something like age verification." The developers cited user privacy, the structural impossibility of consistent secure implementation across a decentralised OS ecosystem, and the fundamental philosophy that open source operating systems are not designed to act as gatekeepers or data collectors. Their current position is to wait for court challenges to resolve how and whether these laws apply to non-commercial open source projects before taking any further action.

-A third response has emerged from individual developers and technically sophisticated users. One approach posted to Hacker News argues that AB 1043 compliance on a Unix-like platform is technically satisfied by a single shell variable: the user enters an age category at setup, it is written to a configuration file, and any application that queries for it can read it. The law says nothing about verification, only about provision of the data. On a system with no central authority and no mandatory login service, this approach technically complies with the letter of the law while preserving the entire architecture of user autonomy that makes Linux what it is.

Why this is not really about children:

If you think AB 1043 is aimed at Google and Apple, the evidence suggests otherwise. Both companies already have age verification in their stores. Both already have parental controls, developer policies and enforcement mechanisms. The law's broad OS-level definition, which drags in volunteer-maintained community distributions with no commercial presence in California, is not the result of careful drafting aimed at large commercial platforms. It is the result of writing legislation that requires every device to report age to every application, on every platform, with every OS as a mandatory relay node.

The practical outcome of full compliance is that an operating system becomes an identity layer that transmits user age metadata to any developer who asks for it at install time. That is not a child safety feature. That is device-level identity infrastructure. The children narrative is the political justification. The technical outcome is a mandatory link between your device, your identity bracket, and every application you run.

The fight happening in Colorado right now, where System76 successfully secured an open source exemption through direct legislative engagement, is the template for what needs to happen in California, Illinois, New York and the other states still moving these bills forward. It requires people in the open source and privacy communities who have standing in those states to engage with their own legislatures the way Carl Richell did in Colorado, before the January 2027 compliance deadline makes the point moot.

MX Linux put it clearly: direct your energy at policymakers, not at Linux projects. That advice is correct. The Linux community cannot patch its way out of legislation.

This is not only a US problem. Europe is watching closely and learning.

The EU's trajectory on age verification is directly parallel and in some ways more advanced. The European Commission's formal recommendation published last month pushes all 27 member states to deploy a standardised age verification infrastructure by December 31, 2026. EU Executive Vice President Henna Virkkunen explicitly stated at a press conference in April that the system "should not be circumvented," naming VPNs as the first target.

The pattern documented in this community is consistent. Age verification is the justification. Identity infrastructure tied to device, application and operating system is the outcome. Whether that infrastructure is being built by California's legislature, Colorado's governor, or the European Commission, the technical result is the same: a mandatory link between who you are and what software you run. The open source community's entire model of anonymous, permissionless, identity-free computing is the specific thing these laws structurally undermine, whether or not that is the stated intention.

If you try it, please share any feedback on what works, what breaks, and if possible which device you used. You can leave comments here or send feedback directly to our support email.

To celebrate Europe Day and the push for digital privacy, we’re running a special community giveaway and a promo for those who want to support European tech!

🎁 The Giveaway: Win 6 Months of PRO Free! Just leave a comment below! We will randomly select 4 commenters to win a free 6-month PRO membership.

🇪🇺 Europe Day Promo: 50% OFF PRO Want to support the project right away? Get 50% OFF your first 4 months of PRO (available on Web and the App Store).

Promo runs until 12th Mai. Winners will be announced on 13th Mai In the comments of this post.

Link to the website with the promo: https://www.xprivo.com/europe-day/

Every time you drag a file into WeTransfer, Dropbox Transfer or Google Drive and hit share, the file travels to an American server where the provider can technically read it, scan it, flag it, hand it to law enforcement, or train AI models on it. WeTransfer's own privacy policy explicitly reserves the right to scan content for policy violations. Google Drive feeds Gemini. Dropbox has disclosed law enforcement data requests for years. None of this is a secret but most people simply do not think about it when sending a contract, a medical document or a client file. Before we look at the alternative: it's worth mentioning that I also already introduced you to Localsend a few weeks ago which is another great alternative for sending files locally. It's free a open-source, cross-platform file sharing tool. I's a great Airdrop alternative for any device in the local network.

Retyc is a French startup from Lyon, built by Emilien Mantel, that starts from the opposite assumption. Its tagline is "Hors de leur portée", out of their reach, and the architecture actually delivers on that. Files and their metadata are encrypted on your device before they leave it, using the AGE encryption standard, an open source, independently audited library, not proprietary in-house cryptography. By the time the data reaches Retyc's servers, it is already locked. Retyc itself cannot read what you sent, cannot hand the content to a third party and has explicitly committed to never integrating AI into the platform.

The zero-knowledge model goes further than most "secure" file transfer services. Many competitors encrypt files in transit and at rest, which sounds reassuring until you realise that the provider still holds the keys. Retyc's model ensures the provider never has the keys in the first place. Even the metadata, file names, sizes, sender and recipient details, is encrypted before upload.

The entire infrastructure is hosted in France, fully under EU jurisdiction and GDPR compliance is built into the architecture rather than bolted on as a checkbox.

The comparison that matters is not just against WeTransfer. It is against every file sharing tool that you or your organisation currently uses by default because it came bundled with something else. Google Drive sharing links, Outlook attachments previewed on Microsoft servers, Slack file uploads processed in US data centres. Every one of these is a tool that a US company has the technical and legal ability to access. Retyc's zero-knowledge model removes that ability entirely, which is especially relevant for anyone in a profession where client confidentiality is not optional.

It launched its public beta on March 24, 2026 and is still in early access, so treat it accordingly. Test it with non-critical files first, verify the full sender and recipient experience, and evaluate whether the current free tier limits work for your use case before integrating it into sensitive workflows. The architecture is solid and the approach is exactly what the European sovereign software stack at the file transfer layer is needing.