Much of the concern with how age verification methods remove anonymity online applies not only to hackers and to the way in which it chills speech, but also to the government itself. Any level of removing anonymity gives the government a leg up in identifying users. 

The Protecting Kids on Social Media Act creates a pilot program to verify the age of users who visit various websites. The program protects data that links verification to actual accounts, with some exceptions. The legislation requires that the pilot program does not keep a list of the social media platforms where users have verified their ages and identities, aside from aggregate anonymized data. The proposal also requires any information obtained on individuals using the pilot program to be kept confidential while laying out four specific exceptions. These include sharing information with user consent; “in connection with oversight by an Inspector General,” which means the IG has access; if there is an investigation into a user who “committed fraud against the Pilot Program,” which means information can be exposed this way, too; or “pursuant to a court order.”

While the bill’s drafters clearly intended to keep exceptions narrow, these opportunities for disclosure are new because the pilot program and its data problems would not exist without this legislation. And, as this series has explored, the government has a poor track record on data security.

Even if an age verification system were set up entirely outside of the government, according to the Supreme Court’s third-party doctrine, “there is no expectation of privacy in information voluntarily provided to others.” The doctrine is regularly applied to cases regarding electronic information, as our data is stored in many ways by many entities. Were the government to ask a company for identifying age verification data—because the information was voluntarily provided—the Supreme Court may look at a lawsuit about this very issue and rule in favor of the government.

Although the outcome would be harder to predict nowadays, as the Court’s approach in Carpenter v. United States makes future applications of the doctrine less clear, the Court may look favorably upon the government. But those concerned here ought to keep a careful eye on this legislation.

Under the pure text of this legislation, while linking people to the accounts where they verified their ages is prohibited, there are four scenarios in which verifying whether a person has used the pilot program to confirm their age is permissible—and sometimes, that is all it would take to figure out if that person has created an anonymous account on a specific platform.

Going back to non-legal methods of unmasking users, say one part of the government has interest in revealing the identity of a user called “LoveSloths9,” for legal or personal reasons. They have narrowed LoveSloths9’s real identity to a relatively small group of possible people: Maybe they have gathered education, location and work information from LoveSloths9’s posts on a small social media platform called “Sloth Lovers Welcome” and input it into LinkedIn, finding about 200 results. Sloth Lovers Welcome has also opted into the pilot program in order to save money and potential legal stress, and the safe harbor made it the smartest option for their business.

In order to unmask the user by means of data kept in the pilot program, the government may not even need to know that the actual person verified their age on Sloth Lovers Welcome—only which people from their relatively small list of suspects have input their information into the pilot program. If only one person from their list has done so, they have their answer. Even if a few people have verified their age through the program, the potential list of people who may be LoveSloths9 is reduced. While not a fool-proof assurance, this reduces the possibility of anonymity online.

And even if websites that verify age using the legislation’s pilot program are not connected to the individual user account in the program, there are still other problems. Connecting government IDs or biometric data to usernames—which will presumably be needed to log into the age verification pilot program—can unmask users. If someone trusts the discretion of those at the Department of Commerce, that person may use a screenname that they also use for anonymous accounts. If that data is shared, they will no longer remain anonymous, as it will be connected with their IDs or biometric data. Take, for example, LoveSloths9 using that same screenname or [email protected] as an email. All of that information may be used to further narrow down users. 

While the legislation requires that the pilot program keep “no record of the platforms where users have verified their identity,” the government doesn’t always delete data when it’s supposed to. The Hill reported that “[a] judge on a secretive federal court was ‘extremely concerned’ that the NSA’s continued to hold on to data that it was supposed to delete, he wrote in the November 2015 opinion.”

The Federal Bureau of Investigation has had similar problems. In 2019, the National Security Agency (NSA) inspector general said the agency lagged in deleting data. Here, trust hinges on the Department of Commerce executing its role in accordance with the law. That age verification data—from government IDs to biometric data—could remain connected to free expression online and used by the federal government is concerning. 

Even more troublingly, Sen. Ron Wyden (D-Ore.) wrote to the Department of Commerce—where the age verification pilot program would be hosted—about his concerns that the department’s International Trade Administration is helping other countries spy on its citizens. A press release from the senator’s office reads, “[t]he agency informed Wyden’s office last year it had promoted the sale of surveillance technology, but declined to share which products it promoted, or which foreign markets it targeted.” 

Finally, the pilot program can be served warrants and court orders for user information. And whereas platforms sometimes fight government requests to unmask users, particularly in cases where the platforms are concerned about the legitimacy of the government’s action, the government’s own depository is unlikely to do the same. 

This is part of the series: “The Fundamental Problems with Social Media Age-Verification Legislation.”

Get the latest on technology policy in your inbox. Sign up for the R Street newsletter today.