While Congressional efforts to improve youth online safety must be commended, U.S. lawmakers must act judiciously to avoid enacting well-intentioned legislation that exacerbates privacy and cybersecurity risks. The Kids Online Safety Act (KOSA) is one such example where well-meaning efforts to ensure youth online safety could inadvertently lead to increased surveillance and diminished online freedoms for individuals of all ages.
The drafters of KOSA correctly identify that U.S. teens face a wide range of societal and mental health challenges today, including anxiety, depression, and substance use. A growing body of empirical evidence suggests that these issues increasingly affect youth not only in the United States but also across the developed world, including many European countries. Some of these issues, like depression and substance use, are also on the rise in adult populations, suggesting a multifaceted, broader systemic challenge in the United States and beyond.
However, KOSA’s approach to solving such complex societal problems by mandating technical solutions is a cause for concern. By potentially holding the private sector liable for all sorts of societal ills, the legislation could inadvertently increase surveillance and cybersecurity risks for both youth and adults. Likewise, KOSA’s overly broad definition of “harm” and the virtually unchecked authority granted to the Federal Trade Commission and state attorneys general pose additional concerns. These aspects of the proposed legislation raise the possibility that a less scrupulous future administration—Democratic or Republican—could seek to misuse the law in an effort to restrict information on important but politically partisan topics.
KOSA’s Mandatory Age Verification Would Increase Surveillance and Privacy Risks for All Users
Unlike earlier drafts, the latest KOSA draft does not directly mandate age verification. Instead, it proposes a study to evaluate “the most technologically feasible methods and options for developing systems to verify age at the device or operating system level,” as outlined in KOSA §9(a). However, at a time when intrusive age verification systems are gaining popularity at the state level, the language of Section 9 could potentially create a backdoor through which regulators might implement an invasive age verification requirement.
The bill’s sponsors, such as Senator Richard Blumenthal (D-CT), emphasize that it “does not impose age verification requirements or require platforms to collect more data about users (government IDs or otherwise).” Others might highlight the growing availability of alternative means of age verification, including credit cards, cell phone registration, or facial age estimation techniques. However, these methods often carry privacy and security risks of their own, especially depending on how they are implemented. Moreover, these age-verification methods would also apply to all users—not just those below the statutory minimum age of 17.
Furthermore, even with less intrusive (and potentially less accurate) forms of identity verification, businesses would have an incentive to minimize potential risks and avoid costly identity verification systems by asking all users for government-issued identification. At a time when Congress has not established a federal privacy law and a growing share of Americans are worried about data misuse and cyberattacks, the proposed legislation could add new vulnerabilities for the sensitive personal data of U.S. adults and youth—from biometric data to financial information and social security numbers.
In this context, a comparison with minimum-age drinking might provide a helpful, albeit imperfect, frame of reference. The 1984 Federal Uniform Drinking Age Act established 21 as the minimum national drinking age in the United States. Similar to KOSA, this law’s provisions are intended to apply only to underage consumers since it forbids serving alcohol to those under 21. However, drinking establishments must establish whether an individual is 21 or older by asking for a government-issued ID to avoid liability. Wanting to avoid penalties, bars often err on the side of caution, with the result that customers might be asked for identification even if they are well above the minimum drinking age. Consequently, although the law is intended to apply to those under 21, it also affects older adults, who must now carry identification to establish their age.
Unlike online platforms and websites, bars do not need sophisticated digital methods to verify someone’s identity, reducing any associated privacy and surveillance risks. In contrast, online platforms and websites would not only need to introduce potentially intrusive methods of identity verification, but they would also have an incentive to monitor user activity continuously and, in some cases, remove content or censor speech to avoid liability. Therefore, compared to the analog world, the cybersecurity and surveillance risks associated with age verification for online platforms are much higher—and they could easily affect all users, not just those under the statutory minimum age.
KOSA Defines “Harm” Too Broadly and Fails to Create Meaningful Checks for the Federal Trade Commission
Another problematic aspect of KOSA is that it defines “harm” and the risks of harm too broadly while giving the Federal Trade Commission (FTC) and state attorneys general extensive discretion in deciding how the law will be interpreted and enforced. If harm were defined more narrowly (e.g., terrorism-related content or “grooming”) in statute, the increased surveillance and censoring activities would apply in a more limited set of circumstances. However, the overly broad approach to defining harm in Sections 2 and 3—which includes relatively common issues like “anxiety,” “depression,” and “eating disorders” in certain instances—means that a significant portion of online activity could be monitored. As a result, the surveillance risks associated with KOSA are much higher than they would have been if harms were more narrowly defined.
These risks are especially pronounced due to the absence of comprehensive federal privacy legislation in the United States. As a result, U.S. residents often do not enjoy consistent privacy protections across sectoral and state boundaries—unlike their counterparts in the European Union, Canada, and Japan. Against this backdrop, it is unsurprising that civil liberties groups, such as the Electronic Frontier Foundation (EFF) and American Civil Liberties Union (ACLU), have warned about the surveillance and censorship risks KOSA presents.
Likewise, KOSA would grant the FTC and state attorneys general significant authority in interpreting and enforcing the law without creating meaningful checks on their powers. The growing polarization of the political environment and politicization of erstwhile neutral regulatory agencies means legislation like KOSA could be used to pressure websites and suppress content that the government du jour deems harmful to minors—including social and political content that reflects the views of the other end of the political spectrum.
In other words, an unscrupulous administration could use such legislation to restrict information on important but politically partisan topics—such as abortion, climate change, and gun rights—in certain contexts (however, under §2(3)(B), KOSA’s proposed obligations and liability do not apply to educational institutions, non-profit organizations, and news organizations for certain types of content—limiting the FTC’s ability to take down content by those organizations that are deemed harmful). That is why any online harm legislation should include a more precisely defined, narrower set of harms and mechanisms to ensure regulatory neutrality and accountability.
In summary, while the government must develop policies to improve youth online safety and address the broader social and mental health challenges the bills’ sponsors correctly identify, KOSA is not the answer. U.S. lawmakers must recognize the unintended consequences that the proposed legislation would introduce for individuals of all ages. For these reasons, the National Taxpayers Union stands in opposition to the Kids Online Safety Act and urges members of the House of Representatives to oppose the bill in its current form.