Tag: think of the children

Minnesota Law Requires Platforms to Monitor and Age-Estimate All Users

Governor Tim Walz signed House File 4138 on Tuesday, turning Minnesota into the latest state to demand that social media platforms profile every user who logs on.

The law, which takes effect in July 2027, forces platforms with at least 10,000 account holders or $1 billion in annual revenue to estimate the age of all Minnesota users, obtain parental consent before anyone under 16 can hold an account, and disable a list of features the legislature has labeled “addictive.” It passed the state House 132-2 and the Senate 66-0.

We obtained a copy of the bill for you here.

The bipartisan consensus is remarkable given what the bill actually requires. Buried beneath the child protection language is a surveillance apparatus that applies to every user, not just minors.

When you create an account on a covered platform, the law demands you declare your month and year of birth. That’s just the beginning. Once you’ve spent 25 hours on the platform within six months, the company has 14 days to estimate your age using “reasonable efforts, taking into consideration available technology and the data in the possession of the covered social media platform.”

If the platform can’t reach 80% confidence that you’re 16 or older, you get classified as a child and locked into restricted mode.

Hit 50 hours, and the confidence threshold rises to 90%. Still not verified? The age estimation repeats every six months for the first seven years your account exists, or more often if the platform runs any demographic analytics on your profile.

That means platforms are legally required to continuously analyze how you behave, what content you engage with, and who you communicate with for the better part of a decade. The law creates an obligation to surveil that didn’t exist before.

The mechanisms available for “verifiable parental consent” come from the COPPA 1.0 framework which speaks volumes about the privacy costs this law is willing to impose.

Parents can sign a consent form, hand over credit card information, submit a copy of a government-issued ID alongside a face scan, or verify their identity through video conferencing.

Keep reading

Massachusetts House Passes Social Media Age Verification Digital ID Bill

Massachusetts just voted to force every social media user in the state to prove their age to a tech company. 

The bill passed the House 129-25 on Wednesday, banning children under 14 from social media entirely, requiring parental consent for 14- and 15-year-olds, and mandating that platforms build age verification systems to enforce all of it. If it becomes law, the policy takes effect on October 1.

We obtained a copy of the bill for you here.

House Speaker Ron Mariano and Ways and Means Chair Aaron Michlewitz framed the legislation as protection. “This ban would be among the most restrictive in the entire country, helping to protect young people from harmful content and addictive algorithms that have a proven negative impact on their mental health,” they said in a joint statement. 

They also described the broader goal: “The simple reality is that Massachusetts must do more to ensure that our laws keep pace with modern challenges – especially when it comes to protecting our children, and to setting students up for success in the classroom and beyond.”

The bill doesn’t say how companies should verify ages. It leaves that to Attorney General Andrea Campbell, who would have until September 1 to write the implementing regulations. 

That vagueness is deliberate, according to Michlewitz, who said it gives the AG flexibility in a changing industry. 

But the practical reality of age verification is that someone has to prove who they are. 

That means government IDs, facial scans, or behavioral tracking, and those requirements don’t just apply to kids. Every user on the platform has to go through the system, because you can’t filter minors without checking adults, too.

Keep reading

South Carolina’s New Social Media Law Puts Every User Under Age Surveillance

South Carolina Governor Henry McMaster signed H.B. 4591 on May 19, turning the Stop Harm from Addictive Social Media Act into a law that will reshape how every resident of the state uses major social media platforms.

The bill passed with almost no opposition, clearing the House 115-0 and the Senate 42-1. It takes effect January 1, 2027, and it brings with it a surveillance apparatus aimed at all users.

We obtained a copy of the bill for you here.

The law, sponsored by Rep. Brandon Guffey (R-York), requires covered platforms to repeatedly estimate and verify the age of every South Carolina account holder.

The stated goal is child protection. The way it claims to do that is continuous behavioral analysis of anyone who spends enough time on a platform, combined with escalating confidence thresholds and penalties of ten thousand dollars per violation if platforms get it wrong.

Here’s how the age estimation system works. Once an account holder hits 25 cumulative hours on a platform within six months (the “first trigger date”), the platform has 14 days to estimate whether that person is over 15, with 80% confidence.

At 50 hours (the “second trigger date”), the confidence requirement jumps to 90%. After that, the platform must update its estimate every 100 hours of use, or whenever it runs data analytics on the user for any other reason, whichever comes sooner.

That last clause is easy to miss and it means any time a platform runs its profiling algorithms on you for ad targeting, content recommendations, or anything else, it also has to re-evaluate your estimated age. The law essentially piggybacks mandatory age surveillance onto whatever commercial surveillance platforms already conduct, expanding the scope of both.

Because platforms face significant liability if they can’t meet these confidence thresholds, the law creates powerful incentives to harvest far more sensitive data about users than they do today, including about minors.

A platform that guesses wrong faces $10,000 per violation. A platform that overinvests in behavioral profiling to avoid those fines faces no penalty at all. The incentive structure points in one direction.

The bill claims it “does not create any duty on the part of a covered social media platform to request, collect, or retain any information from or about any account holder” and that age estimates must be “derived based on information collected and retained by the covered social media platform in the ordinary course of operation.”

This is the bill’s central fiction. Platforms that can’t achieve 80% or 90% confidence from existing data will need to collect more data, or face financial ruin from accumulated violations. The law doesn’t mandate new data collection in the same way that holding a knife to your wallet doesn’t mandate you hand over cash.

For users classified as children (under 16), the restrictions are extensive. Accounts require verifiable parental consent, with privacy settings locked to the most restrictive levels by default.

Platforms cannot show children profile-based feeds, profile-based advertising, or any “addictive interface features,” a category that includes infinite scrolling, auto-play video, push notifications, and display of personal metrics like reaction counts.

Keep reading

Big Tech Backs Colorado OS-Level Age Data Bill

Chamber of Progress, a lobbying group bankrolled by Amazon, Apple, Google, Meta, and OpenAI, is pushing Colorado Governor Jared Polis to sign SB 26-051 into law.

The bill would force operating system providers to harvest users’ dates of birth and pipe that data to app developers through an API every time you download or open an app. If Polis signs it, your phone’s operating system becomes more of an identity checkpoint, not just for children, but for everyone.

The bill landed on the Governor’s desk on May 12 after clearing both chambers of the Colorado legislature, passing the House 40-23 and the Senate 26-9.

We obtained a copy of the latest version of the bill for you here.

Sponsored by Democratic Senator Matt Ball and Representative Amy Paschal, the legislation mirrors California’s AB 1043, signed into law in October 2025. Colorado’s version would start applying to new users on July 1, 2028, with existing users folded in by January 1, 2029.

When you set up a device account, the OS asks for a date of birth. That data gets translated into one of four age brackets (under 13, 13 to 15, 16 to 17, and 18-plus) and stored as an “age signal.”

Developers are required to request that signal at first launch or account creation through a real-time API. Every app you open gets to ask your operating system how old you are.

Chamber of Progress told Colorado lawmakers that the bill “reflects an important effort to protect children online while minimizing risks to privacy and lawful speech.”

That framing collapses under the weight of what the bill constructs. It calls age-bracket data “nonpersonally identifiable,” but an age bracket combined with a device ID, app usage patterns and an IP address makes re-identification trivial. When that signal flows to dozens of apps at launch, the aggregate profile becomes far richer than any single data point suggests.

The bill also makes anonymous device use functionally harder. If account setup requires an age attestation that follows you into every app, you lose the ability to use the software without disclosing something about your identity. That has consequences for journalists, activists, domestic violence survivors, and anyone who treats privacy as a default.

The bill never specifies how age data is verified. Account holders just “indicate” a birth date. It may not have an ID check or a biometric scan, at least for now. But a 12-year-old can type in 1988 and the system accepts it.

As a mechanism for protecting children, this is useless, and everyone involved in writing it knows that. What it does accomplish is something else entirely. It builds the architecture: the API, the data pipeline, the legal obligation for developers to query an age signal at every app launch. Once that plumbing exists, the only question left is what gets poured through it.

Keep reading

Days Away: The TAKE IT DOWN Act Creates a Censorship Mechanism With No Safeguards

The Federal Trade Commission sent letters to 17 major tech companies this week, warning them to comply with the Take It Down Act by May 19 or face fines of $53,088 per violation.

Amazon, Alphabet, Apple, Meta, Microsoft, TikTok, X, Reddit, Discord, Snapchat, Pinterest, Bumble, Match Group, Automattic, and SmugMug all got the same message from Chairman Andrew Ferguson.

We obtained a copy of the letter for you here.

“We stand ready to monitor compliance, investigate violations, and enforce the Take It Down Act,” Ferguson wrote.

“Protecting the vulnerable, especially children, from this harmful abuse is a top priority for this agency and this administration.”

The law, signed by President Trump in May 2025 with strong backing from First Lady Melania Trump, requires platforms to delete non-consensual intimate imagery (NCII), including AI-generated deepfakes, within 48 hours of receiving a removal request.

Platforms must also find and remove identical copies, provide clear notice about the removal process and let people track their requests. The FTC published a business guidance page alongside the letter spelling all of this out. The definition of “covered platform” is broad enough to capture social media, messaging apps, video sharing, gaming platforms, and essentially any site hosting user-generated content.

Nobody wants revenge porn circulating online. But the law Congress passed is far broader than the problem it claims to solve.

The TAKE IT DOWN Act borrows its structure from the DMCA’s already-controversial notice-and-takedown system, then strips out the safeguards.

Under the DMCA, a takedown request must include a statement under penalty of perjury. False claims can result in liability. There’s a counter-notice process so the person whose content was deleted can push back. TIDA has none of this. There’s no penalty for false claims, no counter-notice, no requirement that the filer prove anything before content disappears. A platform gets a complaint, has 48 hours, and deletes. That’s the entire process and exactly why the Take it Down Act introduces a new censorship mechanism.

The law defines a violation as involving an “identifiable individual” engaged in “sexually explicit conduct,” without defining that conduct narrowly.

Keep reading

Jess Phillips Resigns, Pushes Phone Scanning Law in UK

Stuffed inside a resignation letter about the UK’s Labour Party’s leadership crisis is a proposal that should alarm anyone who owns a phone.

Jess Phillips, who stepped down as Safeguarding Minister today, spent a significant portion of her parting shot to Prime Minister Keir Starmer, complaining that the government failed to mandate technology on every phone and device in the country that would prevent children from taking explicit images.

We obtained a copy of the letter for you here.

Phillips framed this as child protection but what she described is device-level surveillance deployed at national scale.

Her letter stated that “91% of online child sex abuse is self-generated by children groomed, tricked and exploited in to abuse,” and that she presented solutions to Starmer “over a year ago” that would “end the ability for children in the UK to take naked images of themselves.”

She wanted this installed on every device in the country.

The government dragged its feet for twelve months before agreeing to “even threaten to legislate in this space. Not legislate, just threaten.” Phillips called this “the definition of incremental change.”

An announcement planned for March got pushed to June. She’d “given up believing it” would happen.

The resignation falls during a brutal stretch for Starmer. More than 90 Labour MPs have called for him to go after disastrous local elections.

Phillips told Starmer he is “a good man fundamentally, who cares about the right things” but that she’d “seen first-hand how that is not enough.” His instinct to avoid confrontation, she argued, had paralyzed the government. “The desire not to have an argument means we rarely make an argument, leaving opportunities for progress stalled and delayed.”

Keep reading

EU chief turns up heat on social media’s ‘addictive’ design

The European Union is working on new rules to protect children from the addictive designs of social media platforms such as TikTok, Meta and X, EU Commission president Ursula von der Leyen said on May 12.

“Sleep deprivation, depression, anxiety, self-harm, addictive behaviour, cyberbullying, grooming, exploitation, suicide. Risks are multiplying fast,” she said in a speech in Copenhagen.

“These risks are the reality of the digital world. They are not accidental. They are the result of business models that treat our children’s attention as a commodity.”

Ms von der Leyen said the commission would specifically target “addictive and harmful design practices” in its Digital Fairness Act (DFA), due to be proposed towards the end of 2026.

The DFA would also set strict limits on the use of artificial intelligence in social media, she said, while advocating a minimum age for social media access.

Ms von der Leyen said the EU must consider setting a minimum age for access to social media, adding that the commission might make a proposal in the summer on the issue following recommendations from a panel of experts.

“The question is not whether young people should have access to social media, the question is whether social media should have access to young people,” she said.

Keep reading

EU Going To War With VPNs In Bid To “Save The Children”

Western European governments and EU bureaucrats are advancing tighter regulations on VPNs as part of a broader push for “online age verification” and their ‘Chat Control’ agenda.  Privacy advocates and digital rights groups warn that Europe is drifting towards a surveillance and censorship regime similar to internet restrictions and firewalls used by Russia and China.

Last week European Commission Executive Vice-President Henna Virkkunen suggested that Brussels may need to address the use of VPNs to bypass the EU’s upcoming age-verification systems.  Speaking during a press conference on the EU’s new digital age-verification app, Virkkunen acknowledged that users could circumvent the system with VPNs and stated that preventing such circumvention would be among the ‘next steps’ policymakers need to examine.

Her statements were delivered only two weeks after she shared a stage with EU Commission President Ursula von der Leyen, who called for a crackdown on web media companies to “protect children” from dangerous content.  The first stage of their agenda is a government created universal age verification app which web companies will be required to integrate.  Von der Leyen asserts that the new restrictions are designed to “defend children’s rights” (how does restricting access protect rights?).

The Orwellian language of the EU is not coincidental.  “Child vulnerability” is a carefully chosen vehicle to manipulate public approval, opening the door to incremental government management of online content and discourse. 

Keep reading

How a Bill Banning AI Companions for Kids Could Usher in Widespread ID Checks Online

Sen. Josh Hawley’s Guidelines for User Age-verification and Responsible Dialogue (GUARD) Act advanced out of the Senate Judiciary committee last week. “A Trojan horse for universal online ID checks,” is how Jibran Ludwig of Fight for the Future described it.

The bill would require anyone using an AI chatbot to provide proof of identity and ban minors from interacting with many sorts of AI chatbots entirely.

Unlike some social media age verification bills, it would give parents no right to opt out of the rules the federal government sets on their kids’ technology use.

The GUARD Act is co-sponsored by Sen. Richard Blumenthal (D–Conn.), who—like Hawley—has long been a champ at moral panic around technology. (Cue: Bipartisan is just another word for really bad idea…)

And while some on the Senate Judiciary Committee expressed concerns about privacy or how this could actually backfire and harm minors, those senators still voted to advance the bill. It “easily passed in committee,” notes The Hill, despite some senators’ reservations:

Sen. Alex Padilla (D-Calif.), who voted yes, said there are concerns about “potential privacy and security risks” with the age-verification component, suggesting it may need to be “fine-tuned.”

Sen. Ted Cruz (R-Texas), who supported various kids online safety bills, said he would vote yes but noted the bill needs “some revisions.”

Cruz was concerned the bill would completely ban all AI chatbots for minors, noting their potential benefits. Hawley clarified the bill does not ban all AI chatbots for minors, but rather it “prevents AI chatbots that engage with minors from pushing sexually explicit material to the minor,” or encouraging self-harm or suicide.

Keep reading

Utah first state to hold websites liable for users who mask their location with VPNs — law goes into effect, designed to prevent bypassing age checks

Utah’s Online Age Verification Amendments, formally Senate Bill 73, take effect on May 6, making the state the first in the U.S. to explicitly target VPN use as part of age verification legislation.

Signed by Governor Spencer Cox on March 19, the controversial law establishes that a user is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN or proxy to mask their IP address. It also prohibits covered websites from sharing instructions on how to use a VPN to bypass age checks.

NordVPN has called the law an “unresolvable compliance paradox” and a “liability trap,” arguing that it holds websites responsible for identifying users whose tools are specifically designed to be unidentifiable. The EFF warned that the legal risk could push sites to either ban all known VPN IPs or mandate age verification for every visitor globally.

The law is also technically flawed, given that it assumes that a web provider can reliably detect VPN traffic and determine a user’s true physical location — they can’t. IP reputation databases such as MaxMind and IP2Proxy can flag traffic from known datacenter IP ranges, but commercial VPN providers rotate addresses constantly, and residential VPN endpoints are largely indistinguishable from standard home connections. Autonomous System Number analysis can catch traffic originating from datacenter networks, but can’t identify a personal WireGuard tunnel running on a cloud VPS, for example, which routes through the same infrastructure as ordinary web hosting.

The only detection method that reliably identifies VPN protocol signatures is deep packet inspection, which analyzes traffic at the network level, not system- or app-level. China’s Great Firewall and Russia’s TSPU system deploy DPI via ISPs, but a website operator can’t because it requires access to network infrastructure that sits between the user and the server, not on the server itself.

Meanwhile, setting up a personal WireGuard instance on any major cloud provider takes minutes, meaning the law will be more likely to negatively impact non-technical users who rely on commercial VPN services for legitimate privacy: journalists, people living under authoritarian regimes, political dissidents, and abuse survivors, among others.

Keep reading