Comments on Proposed Rules for the Utah Social Media Regulation Act

STATE OF UTAH
BEFORE THE UTAH DEPARTMENT OF COMMERCE DIVISION OF CONSUMER PROTECTION

In the Matter related to the Utah Social Media Regulation Act proposed rule

Comments of the R Street Institute

The R Street Institute (R Street) is a nonprofit, nonpartisan public policy research organization headquartered in Washington, D.C. with multiple offices across the United States. Our mission is to engage in policy research and outreach to promote free markets and limited, effective government. R Street submits these reply comments in response to the Notice of Comment Period issued by the Utah Department of Commerce on Oct. 15, 2023. R Street appreciates the Department encouraging the public to submit comments on the proposed rule.

Introduction

R Street has documented extensive concerns with the concept, execution, and constitutionality of age verification as a barrier for access to free speech on social media. Below, we detail our concerns with the proposed rule’s suggested methods of verifying age, collecting data, categorizing social media, interacting with the First Amendment, and verifying Utah residency.

Problems with Age-Verification Methods

The proposed rule lists “acceptable forms or methods of identification” that can be used in the “age verification process.” These acceptable methods include “validating and verifying mobile telephone subscriber information” using the last four digits of a user’s Social Security number, estimating age based on facial characteristics or analysis, or matching a user’s government identification to ​​a live webcam video or photo of the person present.

Unfortunately, these methods of age verification—indeed, all methods—raise the same concerns that R Street has enumerated on this topic in the past: They are extremely invasive to user privacy and concerning from a security perspective. Scanning one’s face and sharing a government identification card or inputting even part of a Social Security number are not only invasions of privacy but would also expose users to extreme cybersecurity risks, especially given the increasing pervasiveness of cybercrimes in the last few years. One survey conducted in 2023 by a major research university found that hacks designed to “steal, change or make public important data” had successfully been carried out on more than 80 percent of U.S. companies.^[1] Additionally, between early 2020 and early 2021, cybercrime that involved ransomware rose 102 percent globally.^[2] And more data and studies show the same kind of problem.^[3] In addition, Social Security numbers are not secure; millions have been exposed in data breaches.^[4] Furthermore, as the proposed rule acknowledges itself, the provision suggesting that a government-identification document could be matched to a live video is problematic because the person on camera may not be the user—it could be someone else the user has put in front of the camera to trick the system.

Meanwhile, the less invasive suggested approach of “estimating a current account holder’s age based on the date a Utah account holder created the account” in itself would be unlikely to satisfy the age verification requirement, as people can transfer accounts, and most social media platform users joined within the last 18 years.

Data Protection Concerns

The provision that “[a] social media company may not collect more than the least amount of data reasonably necessary to comply with Sections 13-63-102, R152-63-4, and R152-63-6” is of little reassurance when these companies will be penalized for failing to identify user age. To avoid such penalties, they will still likely collect the manifest information outlined above, including Social Security numbers or face scans.

The proposed rule also outlines requirements for protecting data collected for age verification, including using it for no other purpose and segregating it from other data the company collects, “permanently and completely erasing the collected data as quickly as possible, but no more than 45 days after the social media company or its agent” completes the age-verification process. However, this ignores the landscape of ever-increasing cyberattacks discussed above. Data minimization—the principle that reducing the amount of data collected can help reduce data hazards down the line—is key to preventing sensitive data from being taken in the first place.^[5] Requiring that data be deleted is a wise provision, but requiring that sensitive information be collected at all represents the real hazard.

Many are also concerned about how social media companies with possible ties to adversarial governments might handle the private data they would be required to collect. In fact, Gov. Spencer Cox stated that:

“China’s access to data collected by TikTok presents a threat to our cybersecurity … As a result, we’ve deleted our TikTok account and ordered the same on all state-owned devices. We must protect Utahns and make sure that the people of Utah can trust the state’s security systems.”^[6]

Rather than protecting Utahns, this proposed rule would force social media companies like TikTok to acquire the most sensitive information from users like government identifications, face scans, and partial Social Security numbers. If Gov. Cox is correct in his assessment of TikTok’s threat, the company might see this rule as a means to acquire the maximum amount of sensitive user information possible, claiming it to be necessary to fulfill the law’s requirements. Furthermore, although a provision of the proposed rule requires that this data stay in the United States, any dishonorable social media company could still access it by finding a U.S. provider willing to contract with them.

Questionable Categorizing of Social Media Companies

The rule details that “‘Social media company’ means the same as it is defined by Subsection 13-63-101(9),” which is “a person or entity that […] provides a social media platform that has at least 5,000,000 account holders worldwide” and “is an interactive computer service.”^[7] “Social media platform” is narrowed to exclude many uses such as platforms whose main functions are electronic mail, direct messaging, streaming services for licensed content, non-user-generated news, most e-commerce, gaming, photo editing, professional artistic (nonpornographic) networks, public-safety community groups, career development platforms, business-to-business software, conferencing software, cloud storage, document sharing/collaboration, cloud computing services, and more.

While this definition would likely exclude Microsoft Word, Google Docs, LinkedIn, news sites, and video games, among other platforms, it would likely include common platforms like Instagram and TikTok, as well as other sites not traditionally considered to be social media, such as AllTrails, Inspire (a forum for those battling chronic diseases), and GoodReads.^[8] Excluding professional networks and public safety groups but not hiking, disease, or other affinity-based platforms is an arbitrary restriction on speech that would likely violate the First Amendment.

Another related issue is that the provision that “[d]ata collected by a social media company to comply with Sections 13-63-102, R152-63-4, or R152-63-6 may not be stored, maintained, transferred, or processed outside the United States of America” could have serious implications for the future of a free, open internet. The internet is global, and social media companies are not always based in the United States. It is unclear how requiring companies based outside of the United States to work with U.S.-based companies to verify age would better protect data.

First Amendment Concerns

The Supreme Court has long recognized the First Amendment right to free, anonymous speech.^[9] This right applies to online speech, such as that on message boards, as well.^[10] As Justice Clarence Thomas wrote in concurrence on a 1995 case, “[a]fter reviewing the weight of the historical evidence, it seems that the Framers understood the First Amendment to protect an author’s right to express his thoughts on political candidates or issues in an anonymous fashion.”^[11] Age-verification methods that force users to provide their most sensitive, identifying information to access platforms containing constitutionally protected speech infringes on this right. In fact, not only is most speech on social media platforms protected by the First Amendment, but the Supreme Court also recognizes that children have First Amendment rights, too.^[12] 

Additionally, if this proposed rule were to be put in place, many users would have valid concerns about their anonymous profiles being tied to their actual identities. Even if social media companies were to perfectly protect and dissociate age-verification data from user profiles, just the concern that anonymity might be compromised could cause these regulations to run afoul of the First Amendment and chill speech. And the “chilling effect”—when people self-censor or “chill” their speech—can cause laws to be ruled unconstitutional.^[13] For example, anyone who wishes to share an unpopular opinion or discuss a sensitive issue like chronic disease or divorce may think twice before voicing their opinion if they fear they might be identified.^[14]

Another First Amendment concern is that of under-inclusivity.^[15] For example, in Brown v. Entertainment Merchants Association, the late Justice Antonin Scalia wrote the majority opinion in which he explained that a law restricting minor access to violent video games but not violent movies, books, or other media was improperly tailored.^[16] This proposed rule faces the same issue of under-inclusivity by restricting minor access to one type of media, but not others, as well as by both restricting access to some social media platforms but not others and exempting some affinity social media platforms but not others. In that majority opinion, Scalia also referenced the issue of over-inclusivity when he explained that if a minor’s guardians are not concerned about their children’s access to violent video games, restricting access to such games for those minors was a violation of their First Amendment rights. For these reasons and more, he explained why that law could not “survive strict scrutiny.”^[17] The same issues exist with Utah’s proposed age-based social media regulations.

Website traffic is another issue that combines First Amendment issues with website feasibility issues. In a case affirming a permanent injunction that stopped the enforcement of the Child Online Protection Act (COPA), the Third Circuit recognized that age verification would result in decreased traffic to certain websites. The court wrote that such age-verification requirements “present their own First Amendment concerns by imposing undue burdens on Web publishers due to the high costs of implementing age-verification technologies and the loss of traffic that would result from the use of these technologies.”^[18]

First Amendment jurisprudence holds the government to a high standard. To overcome scrutiny, the government must use the least-restrictive means of regulation to accomplish its constitutional goal. Two decades ago, Justice Anthony Kennedy wrote the majority opinion in Ashcroft v. ACLU—where the Court found COPA unconstitutional—explaining that filtering software, which is available to parents, would not only accomplish the age-restriction goal but would do so more effectively than the government could.^[19] An added benefit of using parental control over government regulations is that the government would not have to infringe on any speech. The same holds true today and with this proposed rule: Parental filters are widely used and would address this issue more effectively than Utah government regulation.^[20] In fact, many platforms already offer parental controls.

Thus, decades-old federal laws focused on verifying user age have been overturned by the courts and reduced in scope for all of these reasons and more.^[21]

Verifying Utah Residency

The final issue, perhaps the most basic of all, is that while the new proposed rule would apply to all residents of Utah, it fails to explain how platforms would identify whether someone is a resident of the state or not. Whether a user legally resides in another state and is accessing social media in Utah or if a Utah resident is using a VPN that changes their virtual location, it might sometimes be impossible to know if a social media user is located in Utah, let alone a resident, and if they are subject to the age-verification process at all.^[22]

Conclusion

The R Street Institute thanks the Utah Department of Commerce for the opportunity to submit these comments.

Respectfully submitted,

___/s Shoshana Weissmann____

Shoshana Weissmann
Digital Director and Resident Fellow

The R Street Institute
1411 K Street N.W., Suite 900
Washington, D.C. 20005
(202) 525-5717
[email protected]
Feb. 5, 2024

[1] More Than 80 Percent of Firms Say They Have Been Hacked, Duke CFO Global Business Outlook, https://cfosurvey.fuqua.duke.edu/press-release/more-than-80-percent-of-firms-say-they-have-been-hacked (last visited Jan. 24, 2024).

[2] The New Ransomware Threat: Triple Extortion, Check Point Research Blog (May 12, 2021), https://blog.checkpoint.com/security/the-new-ransomware-threat-triple-extortion (last visited Jan. 24, 2024).

[3] Shoshana Weissmann, If Platforms Are Required to Have Your Government IDs and Face Scans, Hackers and Enemy Governments Can Access Them Too, R Street (May 22, 2023), https://www.rstreet.org/commentary/if-platforms-are-required-to-have-your-government-ids-and-face-scans-hackers-and-enemy-governments-can-access-them-too (last visited Jan. 24, 2024).

[4] Sophie Bushwick, Social Security Numbers Aren’t Secure: What Should We Use Instead?, Scientific American (Sept. 24, 2021), https://www.scientificamerican.com/article/social-security-numbers-arent-secure-what-should-we-use-instead (last visited Jan. 24, 2024); Ashraf Khalil, DC Health Link Data Breach Blamed on Human Error, Associated Press (April 18, 2023, 5:23 PM EST), https://apnews.com/article/congress-dc-data-breach-cyber-security-7505d83dfa5ddb06765e6ff4de9abfcc (last visited Jan. 24, 2024).

[5] Shoshana Weissmann, Age-Verification Legislation Discourages Data Minimization, Even When Legislators Don’t Intend That, R Street (May 24, 2023), https://www.rstreet.org/commentary/age-verification-legislation-discourages-data-minimization-even-when-legislators-dont-intend-that (last visited Jan. 24, 2024).

[6] News Release: Gov. Spencer Cox Orders TikTok Ban on State-Owned Devices, Media Release (Dec. 12, 2022), https://governor.utah.gov/2022/12/12/news-release-gov-spencer-cox-orders-tiktok-ban-on-state-owned-devices (last visited Jan. 24, 2024).

[7] Utah Code § 13-63-101 (2023).

[8] Leadership – Inspire, Inspire Corporate Website, https://corp.inspire.com/about-us/leadership (last visited Jan. 24, 2024).

[9] Jeff Kosseff, The United States of Anonymous: How the First Amendment Shaped Online Speech, Cornell University Press, https://www.cornellpress.cornell.edu/book/9781501762383/the-united-states-of-anonymous (last visited Jan. 24, 2024); Shoshana Weissmann, Age-Verification Methods, In Their Current Forms, Threaten Our First Amendment Right to Anonymity, R Street (June 1, 2023), https://www.rstreet.org/commentary/age-verification-methods-in-their-current-forms-threaten-our-first-amendment-right-to-anonymity (last visited Jan. 24, 2024).

[10] Weissmann, supra note 9.

[11] McIntyre v. Ohio Elections Comm’n (93-986), 514 U.S. 334 (1995).

[12] Tinker v. Des Moines Independent Community School District, 393 U.S. 503 (1969).

[13] Frank Askin, Chilling Effect, The First Amendment Encyclopedia, Middle Tennessee State University (last updated Jan. 4, 2024), https://firstamendment.mtsu.edu/article/chilling-effect (last visited Jan. 24, 2024); Weissmann, supra note 9.

[14] Shoshana Weissmann, Current Age-Verification Methods Threaten Our First Amendment Rights Beyond Anonymity, R Street (June 22, 2023), https://www.rstreet.org/commentary/current-age-verification-methods-threaten-our-first-amendment-rights-beyond-anonymity (last visited Jan. 24, 2024).

[15] Id.

[16] Brown, et al. v. Entertainment Merchants Assn. et al., 564 U.S. 786 (2011).

[17] Id.

[18] American Civil v. Mukasey, 534 F.3d 181 (3d Cir. 2008).

[19] Ashcroft v. American Civil Liberties Union, 542 U.S. 656 (2004), 322 F.3d 240, affirmed and remanded, Supreme Court of the United States, No. 03—218, https://www.supremecourt.gov/opinions/03pdf/03-218.pdf (last visited Jan. 24, 2024).

[20] Weissmann, supra note 14.

[21] Id.

[22] Shoshana Weissmann, Canyon Brimhall, Age-Verification Laws Don’t Exempt VPN Traffic. But That Traffic Can’t Always Be Detected, R Street (Aug. 29, 2023), https://www.rstreet.org/commentary/age-verification-laws-dont-exempt-vpn-traffic-but-that-traffic-cant-always-be-detected (last visited Jan. 24, 2024).