GrapheneOS won't comply with Brazil’s age verification law requiring camera-based 3rd-party ID checks

I’ve spent a lot of time monitoring the Android ecosystem, specifically tracking how privacy-centric platforms like GrapheneOS handle the friction between government regulation and user security. Last week, GrapheneOS confirmed its blanket refusal to implement mandatory age verification on its operating system. Now, the project’s development team has specifically torn into Brazil’s newly activated Digital ECA law, labeling it a “privacy disaster” and detailing the alarming technical requirements needed to comply.

Taking to social media, the GrapheneOS team didn’t mince words. They outlined exactly what compliance with Brazil’s mandate would actually look like under the hood, and it’s a terrifying prospect for privacy advocates.

To legally comply, GrapheneOS would have to integrate a mandatory, system-level process for every single user. This would involve a third-party service actively checking a user’s government identification and confirming a biometric match using the device’s camera.

But the data harvesting wouldn’t stop at the camera lens. The law essentially requires the operating system to retain this sensitive data for auditing purposes. Worse, it would force GrapheneOS to generate a digital token that third-party apps and websites could ping to verify a user’s age.

From where I sit, regularly analyzing mobile software and the hardware required to keep it secure, this fundamentally breaks the core promise of a hardened OS. GrapheneOS rightly points out that tokenizing age brackets and feeding them to third-party apps actively exposes minors to exploitation, rather than protecting them. Apps and websites can change their behavior based on this leaked personal data. Furthermore, the developers noted the blunt reality of the internet: camera-based ID checks aren’t going to stop minors from finding pornography if they actively want to find it.

The hardware and infrastructure reality

Currently, GrapheneOS has no operations or team members in Brazil. They do maintain a tiny VPS in São Paulo for their ns1 anycast DNS and basic network services, primarily because São Paulo is South America’s biggest network hub. However, they’ve made it clear they are ready to pull the plug on those servers and route through Santiago if necessary, even if it results in a technical downgrade.

There’s also a massive hardware barrier at play. I closely track consumer technology pricing and the often-punishing import markups applied to mobile hardware, so GrapheneOS’s struggles in the Brazilian market make perfect sense. They noted that Brazil levies unusually high import duties and taxes, adding up to around 100% on devices. Because of this, there aren’t any devices supporting GrapheneOS directly sold in South America right now, keeping their local user base incredibly small.

However, that landscape is about to shift. GrapheneOS has officially inked a partnership with Motorola to produce a dedicated device by 2027. This partnership will inevitably change their hardware availability in heavily taxed regions, making their definitive stance against Brazil’s third-party camera checks even more significant for their future roadmap.

At the end of the day, GrapheneOS is drawing a hard line in the sand. Forcing a mobile operating system to act as a biometric checkpoint for third-party services is a massive overreach. If taking this stand means sacrificing official device sales or dismantling their server presence in certain regions, it’s a price the developers are clearly willing to pay.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.