FTC's Child Safety Scam: Surveillance for Everyone

The Federal Trade Commission held a workshop on January 28, 2026 to discuss age verification technologies. Commissioner Mark Meador's pitch: "behavioral age verification" that detects a user's age "by the way they interact with an online platform" through machine learning pattern analysis. The sell point here involves avoiding intrusive government ID checks. The reality involves tracking everything you do online to build a behavioral profile that predicts how old you are.

That persistent observation might skip the DMV line, but it still means continuous profiling of every user. The government promises to protect kids by watching everyone.

Google already runs this playbook. Their machine learning model estimates age from behavioral signals like search history, YouTube viewing patterns, and interaction metadata. If flagged as potentially underage, users face a verification gauntlet: government ID upload, credit card submission, or facial analysis selfies. The company claims this approach remains "non-intrusive" because they only analyze data they already collected. The logic being that existing surveillance makes additional surveillance acceptable.

The FTC's 2025 COPPA amendments, passed 5-0 on January 16, 2025, expand the definition of "personal information" to include biometric identifiers: fingerprints, retina patterns, genetic data, voiceprints, gait patterns, and facial templates. The same rule that supposedly protects children now covers the way you walk. Companies requested exceptions for using facial data in security contexts. The Commission refused.

FTC Chair Andrew Ferguson identified the obvious problem: the rule creates a compliance paradox where websites need to collect personal information to determine whether they're allowed to collect personal information. Mixed-audience websites must verify age before knowing whether COPPA applies. Collecting data to check if you should collect data.

Commissioner Mufarrige acknowledged the tension between age verification requirements and COPPA's restrictions on collecting minors' data without parental consent. His solution: "exploring potential solutions" rather than treating the contradiction as prohibitive. Translation: they know the rules conflict and they're moving forward anyway.

The penalty structure makes compliance mandatory regardless of the logical problems. Civil penalties hit $53,088 per violation for 2025. The FTC extracted $20 million from Cognosphere, the Genshin Impact developer, in January 2025 for COPPA violations combined with deceptive marketing practices. NGL Labs paid $5 million in July 2024. Companies face existential financial risk for getting this wrong.

Jennifer Huddleston from the Cato Institute warned at the FTC workshop that age verification laws "provide a honeypot for bad actors." She meant the youth data privacy risks. The honeypot already leaked.

AU10TIX, an identity verification service used by TikTok, Uber, X, Coinbase, LinkedIn, and PayPal, left login credentials exposed online for over 18 months. The breach, discovered in June 2024, exposed access to a logging platform containing names, birthdates, nationalities, identification numbers, and images of government IDs. The credentials were harvested by infostealing malware in December 2022, posted to Telegram in March 2023, and remained active when cybersecurity researchers finally noticed. AU10TIX initially claimed they revoked the credentials. The credentials still worked when 404 Media checked.

The Electronic Frontier Foundation cataloged ten categories of harm from age verification mandates. The numbers cut through the child safety rhetoric:

Approximately 15 million U.S. adults lack driver's licenses. Another 34.5 million possess no current government ID matching their name and address. Black adults face the highest exclusion rate at 18% without licenses, followed by Hispanic Americans and undocumented immigrants. The 20% of U.S. households without credit cards lose access to platforms requiring financial document verification.

AI age estimation algorithms demonstrate reduced accuracy for Black, Asian, Indigenous, and Southeast Asian users. The systems frequently misclassify adults from these communities as minors. Processing takes longer. An estimated 100 million people worldwide with facial differences face recognition failures. "Liveness detection" excludes users with limited mobility.

The transgender population takes unique damage. 43% of transgender Americans lack identity documents reflecting their correct name or gender. Age verification systems force a binary choice: submit outdated documents that expose their identity history or lose platform access entirely. Non-binary genders break the classification systems completely.

Domestic abuse survivors, journalists, activists, whistleblowers, and anyone operating under authoritarian threat relies on online anonymity. Age verification systems constitute surveillance infrastructure that eliminates that protection. Every verification request creates an identity record linking a real person to specific platform activity.

Senator David Shoebridge characterized the approach as "digital surveillance under the guise of protection." Australian Senator, but the observation applies universally.

The pattern replicates across every "child safety" initiative. Congress passes legislation requiring platforms to verify user ages. Platforms implement verification systems that collect identity documents or biometric data. That data centralizes with third-party verification companies. Those companies get breached. Users who complied with verification requirements end up with their government IDs circulating through Telegram channels for over a year.

Google claims their behavioral profiling happens on-device when selfies get involved. They make no such claims about search history analysis, video viewing patterns, or interaction metadata. That processing happens in their infrastructure, analyzed by their algorithms, stored according to their policies. The privacy assurance covers the verification step while ignoring the continuous surveillance that enables it.

Apple's Nick Rossi, at the same FTC workshop, called age assurance "a compliance burden that forces unnecessary data transmission". When Apple—the company that gave the FBI grief over iPhone encryption—flags your privacy initiative as data-hungry, recalibrate your assumptions about what you're building.

The compliance deadline for the new COPPA requirements hits April 22, 2026. Every website operator who serves content to both adults and children faces the surveillance mandate. They must verify ages to comply with the rule. They must collect biometric data that the rule now classifies as personal information. They must protect that data from breaches that verification companies have already proven inevitable.

The FTC workshop explored reusable tokens as an alternative—verify once, use the token across platforms. The centralization problems compound rather than resolve. One breach, universal exposure. One compromised token provider, every linked identity leaked.

Commissioner Meador positioned behavioral age verification as the privacy-respecting option. Track everything users do to avoid making them show ID. Continuous surveillance replaces episodic document checks. The government prefers the approach that generates more data.

Every regulatory push for online child safety follows identical logic: identify a genuine concern about kids, propose surveillance infrastructure that captures everyone, dismiss privacy objections as indifference to children, implement the system, watch the breaches accumulate, repeat with expanded scope.

COPPA now covers gait patterns. Your walking rhythm qualifies as personal information requiring parental consent before collection from minors. The agencies tasked with protecting your privacy treat the way you move as regulated biometric data while mandating systems that profile your every click to determine your age.

The FTC's privacy paradox resolves simply: they protect children by surveilling adults. They claim the surveillance respects privacy because it avoids government ID. The behavioral profiling runs deeper and longer than any ID check ever could.

When the government promises to protect your kids online, check what they're building for everyone else.