Donate
  • Freedom
  • Innovation
  • Growth

KOSA Should Not Mandate Age Verification

The House Energy & Commerce Committee was scheduled to “markup” the Kids Online Safety Act (KOSA) this morning but cancelled the markup at the last minute. (Proposed bills go to a committee markup to give members opportunities to change or amend a bill and to see if there is committee support to move the bill along toward a possible full vote.)
 
In the case of KOSA, there are too many problems to advance the bill, even though many proponents have the best of intentions. So it’s a good thing that the markup has run into problems.
 
Let’s focus on the biggest problem: Mandating age verification.
 
The best online privacy practices include the following principles: Don’t collect personally identifiable data (PID), such as driver’s license numbers, physical addresses, Social Security numbers, etc. And don’t store information any longer than necessary to provide the service, because of the cybersecurity danger of having information stolen and sold to criminals.
 
It isn’t a perfect system, but the most harmful hacking incidents have been when such information WAS collected and persistently stored.
 
Here’s the thing: KOSA requires that online platforms do ALL of those things. Companies MUST collect personally identifiable data, and they must store it.
 
And they won’t just be collecting information on minors. How does a platform know that a 45-year-old isn’t fourteen without performing age verification on the adult? In fact, there is no such thing as age verification—there is only identity verification, of which age is a subset.
 
So either the platforms themselves will have to verify street addresses against property tax databases, or verify driver’s license numbers and birthdates.
 
And turning to a “trusted third party” solves nothing. AU10TIX is an Israeli company that functions as a trusted third-party verifier of identity for companies like TikTok, Uber, Upwork, Coinbase (gulp) and X (formerly Twitter). And guess what? AU10TIX got hacked, exposing users driver’s licenses and other personal information.
 
The way to protect privacy is to NOT collect personally identifiable information, not for the federal government to mandate its collection.
 
KOSA is also problematic on First Amendment grounds, for creating an undefined “duty of care” for companies, for creating enormous potential financial liability for platforms, and for granting significant new powers to the administrative state in the form of the Federal Trade Commission. There’s a lot wrong with KOSA.
 
Just because the name of a bill or the intentions behind it sound attractive doesn’t mean that the proposed government solution isn’t worse than the problem. Congress should take a pass on KOSA until and unless the many problems with it can be resolved.