Letter to Senators Opposing the KIDS Act

Posted by

·

Dear Senator Cassidy and Senator Kennedy,

I am a constituent in New Orleans and a cybersecurity engineer with 20 years in the field. Senator Cassidy, I know you co-sponsored KOSA and co-authored COPPA 2.0, and that your goal is protecting children. I am writing to ask you to reconsider the KIDS Act (H.R.7757) as passed by the House, because its verification machinery lands on every adult and creates concrete security and constitutional harms that I do not believe serve that goal.

The bill cannot identify minors without classifying everyone. KOSA’s obligations trigger when a platform “should have known” a user is under 17 — a negligence standard, not actual knowledge — and the SCREEN Act bans self-attestation outright, requiring “technology verification measures.” The rational compliance response is to verify all users. The disclaimer that the bill does not “require” age verification is contradicted by the liability structure that makes verification the safe choice. In practice, adults will hand over government ID or submit to face scans to access lawful content.

This is the part I can speak to professionally: mandating that platforms and their third-party vendors collect identity documents and biometrics builds exactly the centralized honeypots attackers hunt for. The bill permits offloading verification to third parties and caps retention only at what is “strictly necessary” — undefined. I respond to breaches for a living. These repositories will be breached, and the result is identity theft at national scale. We would be manufacturing the country’s largest attack surface in the name of safety. Notably, the SCREEN Act is modeled on Louisiana’s own age-verification law — which means Louisianans are already the test case for this exposure.

There is also a cleaner principle available: parents, not the federal government, should decide what their children access. Device- and network-level parental controls already exist, work well, and burden no other adult. That approach protects kids without conscripting every adult into an identity-verification regime — and it avoids the First and Fourth Amendment problems of conditioning access to lawful speech on surrendering identity to a private company, and the end of anonymous browsing the Supreme Court has repeatedly protected.

I am not asking you to abandon child safety. I am asking you to strip the age-verification and identity-collection mandates that fall on adults before this reaches the floor, and to favor parental-control and data-minimization approaches instead. I am glad to brief your staff on the specific security failure modes; this is my professional domain.

Respectfully,
Matthew Wollenweber
New Orleans, LA

mwollenweber Avatar

About the author

Matthew Wollenweber (@mwollenweber) is a security engineer with over 20 years experience in cybersecurity and software development. Matthew is passionate about analyzing real-world security problems as inspiration to build tools. His day job is security operations, incident response, and tool development. He is a progressive political organizer in New Orleans, a BJJ brown belt, and bulldog rescuer.

Discover more from Insomniac Technologies

Subscribe now to keep reading and get access to the full archive.

Continue reading