In 2024, identity verification provider AU10TIX, which provided services to companies like TikTok and Uber, was found to have exposed drivers' licenses to hackers for over a year. In 2025, the age-verification systems provider for the social media site Discord was breached, exposing potentially 70,000 users' government IDs. In 2026, the lesson should already be clear that once age verification depends on vendors and stored identity data, a safety system can become a breach vector.

And the rise of AI is only accelerating these risks, making hacks faster and the resulting damage easier to inflict.

This is the backdrop against which the U.S. House passed the Kids Internet and Digital Safety (KIDS) Act on June 29th, a sprawling package built around the Kids Online Safety Act (KOSA), 267-117. The bill now sits in the Senate, where KOSA's own authors, Democrat Richard Blumenthal and Republican Marsha Blackburn, resoundingly rejected the House version and are pushing a tougher one, in part by tying it to federal preemption of state AI laws. A Senate Commerce Committee markup is expected this month. Whatever emerges from that process will shape how identity works online for years.

The intent is to protect minors. The risk is that the mechanism protecting them requires building a much larger surveillance apparatus than anyone campaigning for it admits.

Frederik Gregaard is the CEO of the Cardano Foundation, the Swiss-based non-profit organization that exists to ensure the advancement of the Cardano protocol.

KIDS doesn't mandate age verification outright, because it doesn't have to. Making platforms liable for harm to minors who access their services gives companies a simple risk calculus. Either you verify age, or accept the legal exposure of not knowing who's a minor. Liability without a verification mandate still produces verification. That's the mechanism, and it's worth naming explicitly, because "there's no explicit age check in the bill" is a technically true defense that misses how the incentive actually works in practice.

Once disclosure becomes the price of access, the information dragnet tends to expand. A tool built to confirm someone is old enough becomes a tool that confirms who they are, and a database built to prevent liability becomes just a liability – one more repository of identification data waiting for the next AU10TIX-style breach.

But if a platform only needs to know that a user is old enough, it should not require a full identity file or other data it may use as a proxy for age. If a service only needs to reduce exposure to harmful content, there is no need to build a database that can later be repurposed. These distinctions, however small, matter.