25 percent of kids will face identity theft before turning 18. Age-verification laws will make this worse.

BY SHOSHANA WEISSMANN, 

MAUREEN FLATLEY, CHILD WELFARE EXPERT 

entity theft. They can’t access credit and don’t check their credit reports, which gives bad actors more time to harm their victims before anyone notices something is amiss. While lawmakers are proposing and enacting social media age-verification laws, this will increase fraud risks by mandating that minors surrender their Social Security numbers and other sensitive information.

A full 25 percent of minors will become victims of “identity fraud or theft” before they turn 18, according to Michael Bruemmer, Experian’s Vice President of Consumer Protection. That means that one out of every four minors (and their parents) will, at a minimum, be set up for long and stressful calls with credit bureaus and banks. At worst, these young people could find it difficult to establish and use credit once they become adults. More than half of child identity theft victims in an Experian survey reported being denied access to credit at some point due to the fraudulent use of their identity, with as many as one quarter of the victims still grappling with the adverse consequences of these events more than ten years after they had occurred–and a small but nontrivial percentage even being saddled with a lifelong criminal record for an offense that they did not commit.

Unfortunately, scammers and hackers see minors as ripe targets, with youth somewhere between 35 to 51 times more likely to become identity-theft victims than adults. Because their credit isn’t in use or monitored, child victims discover theft and fraud long after it occurs. Although 25 percent of minors will become identity theft or fraud victims, of all the cases Experian handles—“25,000-30,000 fraud cases each year—approximately 17 percent were targeted specifically at children.”

Although seniors lose more money due to fraud, more teenagers report a financial loss from fraud. While adults lose money, what kids lose is opportunity. Poor outcomes for aged-out foster youth—things like homelessness and unemployment—may be the result of bad credit. Since most youth who age out of foster care are destitute, the inability to work is a major barrier to survival.

In close to equal parts, a third of victims knew the person who stole their identity—often a parent or other family member, a third did not know the offender, and a third never found out the identity of the offender. Obviously, the concerns raised here won’t affect future victims of identity theft from someone close to them. But for future victims who are targeted online or by other means, government policy should not worsen the problem.  

Schools are already prime and growing ransomware targets due to the fact that they often house student social security numbers or personally identifying information, credit card numbers, and government identification that attackers can threaten to release to the public if the entity does not pay the ransom. These attacks have even led to canceled classes. According to a 2023 Sophos global study, “80 percent of lower education providers and 79 percent of higher education providers reported that they were hit by ransomware in the last year, up from 56 percent and 64 percent, respectively, in our 2022 survey.” This matches 30-day data from Microsoft. Much of the same data in schools that is so valuable for attackers would make any entity included in age verification proposals just as valuable a target.

Clearly, child identity theft needs to be taken seriously and families, the government, and private organizations need to continuously work to combat the harm. At minimum, the government shouldn’t be making this problem worse. Enter age verification to access free speech online.

As this series has discussed, the most accurate forms of age verification also require providing government identification, social security numbers, face scans, and the like. Utah’s regulatory guidance for their social media age verification law includes just these same things. Hackers and other bad actors find this information incredibly valuable. Age verification policies with any force will require that this sensitive information is handed to age verifiers or social media platforms. Age verification laws are formed with good intentions and try to put parents in charge. That necessarily means, though, that parent and child accounts will have to be verified not just for age but for the guardian-child relationship. And facial estimation technologies used for age verification have high false positive rates, which show they are far from effective for this purpose. There is no way around providing very sensitive information in order to prove the relationship. That is also why legislation that does not explicitly mandate age verification—such as the Kids Online Safety Act—will functionally require identity verification to ensure the correct adult has the parental controls for the correct child. 

Private companies are constantly breached and hacked. And as explained here, the fact that schools house this very same valuable information for bad actors makes them top targets. If social media companies come to house this same information, they will become just as big targets. Indeed, they have already. The age verification provider for top social media companies exposed login credentials to access users’ government IDs and other sensitive information for over a year. This began even before states passed age verification legislation and continued until a 404 Media reporter confronted the company. R Street explained this would happen, and it turns out it began even before we even said so. At a time when the government should be working on minimizing risk, it is actively maximizing risk.

While the purpose of social media age verification bills is to protect minors from harmful content online and secure their mental health, child identity theft has severe mental health consequences. In 2018, one survey from Experian found that 35 percent of those who were affected by identity theft as a child “had to seek professional help to deal with the emotional strain.” According to another Experian survey, a fourth of victims are still grappling with the consequences of their child identity fraud 10 years after the fraud occurred. In some cases, identity theft victims have a criminal record because their identity was used in a crime. 

Families and platforms have roles here, too. Internet and social media literacy is important so that minors can spot scams and not fall victim to them. Social media platforms should embrace end-to-end encryption to safeguard user data. It’s unfortunate that security is so fragile, but parents would do well to protect the credit of their whole families with available tools. Awareness of risk, best practices, and security tools can help here.

There is one more thing that the government should be on top of in particular—identity theft problems in the foster care system. The hundreds of thousands of children in the foster care system are at higher risk, because their most sensitive information is provided to so many different adults from their foster families to social service professionals. A decade ago, the  Identity Theft Resource Center found that half of the youth in California’s foster care system were victims and that the average debt from identity theft was over $12,000. Laws already require that states conduct credit checks for these children if they are at least 14 years of age. This age should be much lower. However, it seems likely that the mandate is not being enforced consistently or effectively.

Some foster youth have reported multiple instances of identity theft by people they know like parents, foster parents or caseworkers. Given the numbers of third parties that handle the identifying information of foster youth their risk for ID theft is significantly higher than a child in the general population. In fact, the foster care system might be considered a perfect case study of how “age verification” can be abused when you provide identifying information to third parties. Increasing touchpoints where people can access children’s most sensitive information and also increasing the number of people who can access it has horrible consequences for children. Age verification is no different. 

Social media age verification policies need to be considered in a full context of cybersecurity risk and what happens when identity theft happens to minors. Well-meaning lawmakers want to protect minors online, but this highlights the unintended consequences of these efforts.

This is part of the series: “The Fundamental Problems with Social Media Age-Verification Legislation.”