At a moment of almost frightening technological advancement, the tech industry's best defense against children accessing websites and apps that they legally shouldn't are pop-up windows asking for their birthdays. For any kid old enough to fib, cracking these remarkably flimsy age gates is so easy that, well, a child can do it.
Knowing this, tech platforms like Instagram and TikTok try to algorithmically divine which of their users are underage and boot them from their platforms by the millions, while simultaneously writing rules to make the stuff all other users see a little less awful. But, as recentreporting shows, those interventions have hardly solved the problem.
It's little wonder, then, that lawmakers looking for a fix are forever introducing bills to impose new requirements on social media companies and demanding the leaders of those companies testify before Congress. On Thursday, Facebook's head of global safety will do the honors.
But for all of the attention on what social media platforms can and should be doing, lawmakers in Washington, and indeed around the world, have devoted far less time to the role device and operating system makers — namely, Apple and Google — should play in keeping kids safe online.
Alex Stamos, director of the Stanford Internet Observatory and Facebook's former chief of security, called attention to this regulatory blind spot in a Twitter thread this week, following Instagram's announcement that it would pause development on a kid-friendly version of the app in the wake of heightened scrutiny about Instagram's impact on teens' mental health.
Kids, Stamos pointed out, are already using social media — and a lot of times, their parents are letting them. If lawmakers really wanted to keep kids off of those apps in a way that wasn't so easy to circumvent, they might be better served focusing on a different point in the tech stack.
"Require mobile devices (phones and tablets) sold in the US to include a flow, triggered during initial setup, that asks if the primary user is a child and stores their birthdate locally. The calculated age (rounded to year) should be provided via API to every app," Stamos suggested. If device makers required ages at setup, Stamos wrote, then app stores could use that likely more reliable information to filter out underage users, rather than relying on their own insufficient age gates.
Lawmakers could also require apps that allow kids on their platforms to publish "child safety plans" that vary based on how old the user is, Stamos added. A 6 year old, after all, needs different guardrails than a 16 year old. "We are way too early in the field to have a unified set of product features that work for everybody," he wrote, "but we can at least encourage thoughtful design."
It's a Twitter thought experiment that would obviously need some fleshing out to address complexities like what to do about devices that are shared among family members. But few proposals for fixing online platforms are without their complications. Stamos' plan is relatively modest as compared to, for example, lawmakers' frequent and sweeping suggestions that Section 230 be gutted or overturned.
The most shocking thing about this proposal is perhaps that it's not already a big part of the conversation about keeping kids safe on social media — or even part of the conversation at all. Instead, both existing laws like the decades-old Children's Online Privacy Protection Act, or COPPA, and more recent proposals like the KIDS Act, focus on securing kids' data, preventing harmful content from being shown to kids and limiting manipulative marketing practices. All the focus is on the online services themselves.
"What's in front of us can often suck up a lot of the air in the room, because it's so outrageous," Ariel Fox Johnson, senior counsel for global policy at Common Sense Media, said, explaining why so much regulatory focus falls on online platforms and not on hardware makers. Johnson said she's not aware of any bills that have been proposed in the U.S. that would require device makers to do more age-gating, though she said she "would be supportive of device makers and others giving that as an option."
It's not that device makers aren't trying to implement parental controls. Apple and Android both offer parents ways to restrict apps on a device, set time limits for apps and limit access to apps and other content based on their age ratings. But those settings aren't on by default and don't trigger age-appropriate experiences inside the apps themselves once launched. Access is either on or off, with no in-between.
Previous efforts by device makers to institute more controls haven't been without controversy. When Apple launched Screen Time in 2019 and began kicking other parental control apps out of its store for alleged privacy violations, those apps accused the tech giant of anticompetitive behavior, and eventually Apple backed down from the crackdown.
Apple also pumped the brakes on a more recent plan to curb child exploitation by alerting parents of kids under 13 when their children were about to send or receive images Apple's algorithms determined to be sexually explicit. That plan prompted an immediate outcry from activists who said Apple's proposal would put vulnerable kids, particularly LGBTQ+ youths, at unnecessary risk. Within weeks, Apple said it would delay the plan in order to "collect input and make improvements."
Still, while people objected to the notion that Apple might inadvertently endanger kids by ratting them out to abusive adults, the concern largely had nothing to do with Apple knowing which of their users are kids in the first place. And that's where a proposal like the one Stamos floated begins.
Apple declined to comment on Stamos' idea, but pointed Protocol to its existing parental controls in Screen Time and the fact that, in the U.S., users have to be 13 to create an Apple ID.
Facebook has previously said it wants to work with "operating system (OS) providers, internet browsers and other providers" on ways they can share information with apps about users' ages, without violating their privacy. "While it's ultimately up to individual apps and websites to enforce their age policies and comply with their legal obligations, collaboration with OS providers, internet browsers and others would be a helpful addition to those efforts," a July blog post read.
None of this is to say that putting limits on online platforms themselves isn't an important part of any solution. The FTC is reportedly considering proposing a new online privacy rule, in lieu of federal privacy legislation that has still failed to materialize despite years of debate.
Advocacy groups like Common Sense are pushing for laws that would require platforms to more clearly identify advertisements and limit ad targeting, all interventions Johnson said could curb some of the more manipulative aspects of social media — not just for kids, but for everyone.
That's another often-overlooked aspect of the debate around child safety online, said Evan Greer, director of digital rights advocacy group Fight for the Future. "It may be convenient or enticing for lawmakers to pass legislation that they can say is protecting kids," Greer said. "It would be better if they would pass legislation that protects everyone, and helps build a more open, democratic and safe world for our kids to grow up in."
Prioritizing kids' safety shouldn't preclude kids' participation in social media entirely, Greer added. Despite the well-documented dark side of kids' experiences online, young people have also used social networks to build important social movements like the March for Our Lives. And for LGBTQ+ youths feeling isolated or depressed, Greer added, social media can be "a lifeline."
"We should be fighting for a world where young people are safe online, but also a world where young people can harness the power of the internet to fight for a better world," Greer said.
Facebook has sought to frame its now-paused Instagram for kids product as exactly that: an age-appropriate alternative to its main app that still offers kids the upside of social media. But given the company's track record — and its obvious self-interest in hooking another generation of users — both lawmakers and children's advocacy groups are understandably wary of letting Facebook build its own fix.
"To the extent we're going to trust a company to make a compelling and healthy and safe kids' product, Facebook would not be the first company on our list and could easily be one of the last," Johnson said.
Of course, if Facebook can't solve the problem, it might be well-past time to start thinking about who could.
This story has been updated to include Facebook's comment.
A MESSAGE FROM ALIBABA
Thousands of U.S. businesses sold more than $50 billion worth of their products to Chinese consumers with Alibaba last year. Alibaba provides the tools and infrastructure that U.S. businesses need to build their brands in China and reach local consumers.
