Different age-verification legislation vary in their approaches of how they check for compliance with mandates. It is understandable that elected officials would want to ensure companies are complying with the law. And at first blush, encouraging companies to maintain the personal information used for verification—from face scans to government IDs and home addresses—would be a helpful tool for checking compliance. The problem is that maintaining this information is incredibly dangerous for users and presents a valuable honeypot for hackers, as well as a risk for data breaches. 

The initial draft of Utah’s age-verification law serves as a prime example of this issue. The draft mandated age verification by means of government ID and home address. That same draft—along with the version signed by Utah’s Gov. Spencer Cox—also applied to TikTok. However, Cox banned TikTok from government devices due to foreign-threat security concerns, and this legislation would have mandated that the platform collect and maintain this sensitive information. The enrolled version of the bill ended up leaving the method of verification up to the Utah Department of Commerce and directing that identification methods “may not be limited to a valid identification card issued by a government entity.” But as stated, accuracy will mean IDs or biometrics. And the same concerns hold true on the federal level: while states and the federal government are concerned about TikTok and have been restricting its use on government devices, age-verification proposals would require the platforms to collect more information.

Some may not be aware just how often private companies and the government are hacked. The government piece is relevant because of legislation that makes the government the intermediary for verification, as would be the case with the newly introduced federal legislation, the “Protecting Kids on Social Media Act.” This legislation would allow platforms to create their own “reasonable” means of age verification or use one created by the government’s pilot program. If social media platforms use the latter, they are granted a safe harbor from penalties outlined in this legislation for failing to verify users’ age. 

The legislation allows the Department of Commerce to regulate to ensure that social media platforms in the pilot program “employ appropriate privacy and technical protections sufficient to prevent the abuse or improper release of Pilot Program information relating to individual users” and pursuantly revoke enrollment of any platform for security reasons. However, this is of little assurance when looking at hacking statistics.

Consider that a Duke University/CFO Magazine Global Business survey found that over 80 percent of U.S. companies have experienced a successful hack that had the intent to “steal, change or make public important data.” Antivirus and security software company Norton reported cybersecurity statistics indicating that “[m]ore than half of all consumers have experienced a cybercrime, with around one in three falling victim in the past year alone.” Another security company found that there was a 102 percent increase globally from the start of 2020 to the beginning of 2021 in cybercrime that involved ransomware. And with regard to the U.S. government, Comparitech has provided some gutting statistics—in the last nine years, the government has had “822 breaches affecting nearly 175 million records,” which was estimated to cost the government “over $26 billion from 2014 to October 2022.” These problems permeate state governments as well. This article’s author had her own data leaked in the recent DC Health Link data breach.

Further, even when the government is aware of cybersecurity risk, it often fails to act. The Government Accountability Office (GAO) shed some light on this issue in a report released earlier this year. The GAO disclosed that since 2010, they have made 335 public recommendations on a comprehensive cybersecurity strategy, but there has been no implementation of nearly 60 percent of the recommendations as of December 2022.

These concerns also apply to government contractors. There was recent controversy around the use of ID.me to verify identities for the Internal Revenue Service (IRS) because the company verifies identities using biometric data and because the software did not always function properly. The initial plan was scrapped after broad pushback and criticism of the technology’s failure, but it was already being used by many other arms of government. The IRS still currently uses ID.me, although they dropped the facial recognition requirement and allows users to speak with a representative instead. A group of U.S. senators also criticized the company for careless handling of user data. “I have repeatedly expressed concerns about the amount of data that is collected and retained by companies like @IDme,” Sen. Bob Menendez (D-N.J.) tweeted. “This report reveals that my concerns were justified—given the careless, irresponsible, and improper manner in which taxpayer information was handled.” And, the government’s own alternative—called login.gov—has been criticized for not meeting identity-proofing requirements.

And while TikTok is in the news for data access concerns with China, private companies and the government are often hacked by adversarial governments. In recent years, Russian and Chinese hackers have broken into multiple U.S. federal agencies and other parts of the government, telecommunications firms, power companies and more. Late last year, NBC reported that “[h]ackers linked to the Chinese government stole at least $20 million in U.S. Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, according to the Secret Service.” This year, Russian hackers attacked U.S. hospital systems.

Platforms may make the decision to collect more information as a part of their other policies. However, forcing companies’ hands to do so drives bad security practices where they need not exist. And handling age verification through a federal agency is no more promising. 

This is part of the series: “The Fundamental Problems with Social Media Age-Verification Legislation.”

Stay in the know. Sign up for R Street’s newsletters today.