top of page

25 percent of kids will face identity theft before turning 18. Age-verification laws will make this worse.

Children are prime targets for identity theft. They can’t access credit and don’t check their credit reports, which gives bad actors more time to harm their victims before anyone notices something is amiss. Lawmakers are proposing and enacting social media age-verification laws which will increase fraud risks by mandating that minors surrender their Social Security numbers and other sensitive information.



Why identity theft is a big problem for children


According to Experian, a full 25 percent of minors will become victims of “identity fraud or theft” before they turn 18. That means that one out of every four minors (and their parents) will, at a minimum, be set up for long and stressful calls with credit bureaus and banks. At worst, these young people could find it difficult to establish and use credit once they become adults. According to a 2018 survey, more than half of child identity theft victims reported being denied access to credit at some point due to the fraudulent use of their identity, with as many as one quarter of the victims still grappling with the adverse consequences of these events more than 10 years after they had occurred—and a small but nontrivial percentage even being saddled with a lifelong criminal record for an offense that they did not commit.


In particular, identity-theft problems in the foster care system are a serious issue. The hundreds of thousands of children in the foster care system are at a high risk because their most sensitive information is provided to so many different adults, from their foster families to social service professionals. A decade ago, the Identity Theft Resource Center found that half of the youth in California’s foster care system were victims and that the average debt from identity theft was over $12,000. Laws already require that states conduct credit checks for these children if they are at least 14 years of age. This age should be much lower. However, it seems likely that the mandate is not being enforced consistently or effectively.

Some foster youth have reported multiple instances of identity theft by people they know like parents, foster parents, or caseworkers. In addition, given the numbers of third parties that handle the identifying information of foster youth, their risk for ID theft is significantly higher than a child in the general population. In fact, the foster care system might be considered a perfect case study of how “age verification” can be abused when someone provides identifying information to third parties. Increasing touchpoints where people can access children’s most sensitive information and also increasing the number of people who can access it has horrible consequences for children. Age verification is no different.

While adults lose money, kids lose opportunity. Poor outcomes for aged-out foster youth—things like homelessness and unemployment—may be the result of bad credit. Since most youth who age out of foster care are destitute, the inability to work is a major barrier to survival.


Unfortunately, scammers and hackers see minors as ripe targets, with youth somewhere between 35 to 51 times more likely to become identity-theft victims than adults. Because their credit isn’t in use or monitored, child victims discover theft and fraud long after it occurs.


Schools are big targets


In close to equal parts, a third of child victims knew the person who stole their identity, a third did not know the offender, and a third never found out the identity of the offender. Obviously, the concerns raised here won’t affect future victims of identity theft from someone close to them. But for victims who are targeted online or by other means, government policy should not worsen the problem. 


Schools are already prime and growing ransomware targets due to the fact that they often house student social security numbers or personally identifying information, credit card numbers, and government identification that attackers can threaten to release to the public if the entity does not pay the ransom. These attacks have even led to canceled classes. According to a 2023 Sophos study, “80% of lower education providers and 79% of higher education providers reported that they were hit by ransomware in the last year, up from 56% and 64%, respectively, in our 2022 survey.” This matches 30-day data from Microsoft.

Clearly, child identity theft needs to be taken seriously. Families, the government, and private organizations need to work to combat the harm continuously. At minimum, the government shouldn’t be making this problem worse. Enter age verification to access free speech online.


How age verification for tools children use will make this worse


As this series has discussed, the most accurate forms of age verification also require providing government identification, social security numbers, face scans, and the like. Utah’s regulatory guidance for their social media age-verification law includes just these same things. Age-verification policies with any force will require that this sensitive information is handed to age verifiers or social media platforms.


Many age-verification laws are formed with good intentions and try to put parents in charge. That necessarily means, though, that parent and child accounts will have to be verified not just for age, but also for the guardian-child relationship. And facial estimation technologies used for age verification have high false positive rates, which show they are far from effective for this purpose. That is also why legislation that does not explicitly mandate age verification—such as the Kids Online Safety and Privacy Act—will functionally require identity verification to ensure the correct adult has the parental controls for the correct child.

Private companies are constantly breached and hacked. And as explained here, the fact that schools house this very same valuable information for bad actors makes them top targets. If social media companies come to house this same information, they will become just as big targets. Indeed, they have already. The age-verification provider for top social media companies exposed login credentials to access users’ government IDs and other sensitive information for over a year. This began even before states passed age-verification legislation and continued until a 404 Media reporter confronted the company. R Street explained this would happen, and it turns out it began even before we even said so. At a time when the government should be working on minimizing risk, it is actively maximizing risk.

While the purpose of social media age-verification bills is to protect minors from harmful content online and secure their mental health, child identity theft has severe mental health consequences. In 2018, one Experian survey found that 35 percent of those who were affected by identity theft as a child “had to seek professional help to deal with the emotional strain.” According to another Experian survey, a fourth of victims are still grappling with the consequences of their child identity fraud 10 years after the fraud occurred.


Families and platforms have roles here, too. Internet and social media literacy are important so that minors can spot scams and not fall victim to them. Social media platforms should embrace end-to-end encryption to safeguard user data. It’s unfortunate that security is so fragile, but parents would do well to protect the credit of their whole families with available tools. Awareness of risk, best practices, and security tools can help here.


Conclusion


Social media age-verification policies need to be considered in the full context of cybersecurity risk and what happens when identity theft happens to minors. Well-meaning lawmakers want to protect minors online, but there are unintended consequences to these efforts.


Forget WhatsApp or Signal use EndpointLock on any mobile device to encrypt all text messages. EndpointLock provides MILITARY-GRADE PERSONAL SECURITY that encrypts and protects everything typed into a personal device.


You will also recive with a subscription:


  • Protection for up to 8 devices

  • Patented keystroke encryption technology

  • Works on desktops, laptops, mobile phones and tablets

  • Auto-Renewal in 12-months

  • Includes Dark Web Scan

  • Includes $100k Identity Theft Protection Coverage

  • Includes $50k Ransomware Coverage


Get an EndpointLock protection NOW:





bottom of page