Child Safety as a Backdoor to the Surveillance State

There's a playbook that keeps showing up in legislatures across the country. It starts with something no one can argue against: protecting children.

California's AB 1043, introduced in early 2026, is the latest example. The bill would require online platforms to verify the age of all users. In practice, that means building identity verification infrastructure that can be repurposed for surveillance at scale.

This isn't a new pattern. It's the same logic that gave us the PATRIOT Act after 9/11, FISA Section 702 renewals, and the UK's Online Safety Act. The formula is simple:

1. Identify a genuine, emotionally compelling problem
2. Propose a solution that requires mass data collection
3. Build the infrastructure
4. Expand its use

What AB 1043 Actually Requires

The bill mandates that platforms implement "reasonable age verification" for users. On paper, this sounds like common sense. In practice, it means one of the following:

• Government ID upload: handing your driver's license to every website you visit
• Facial age estimation: AI scanning your face to guess your age
• Third-party age verification services: a new industry of companies that know every site you visit and when

None of these methods work without creating a centralized record of who accessed what, and when. That record is a surveillance goldmine; once it exists, law enforcement, intelligence agencies, and data brokers will seek access to it.

The Pattern: Child Safety, Then Infrastructure, Then Scope Creep

This isn't speculation. It's documented history.

Australia's metadata retention law (2015) was sold as a tool to fight child exploitation. Within two years, dozens of government agencies had accessed the retained data for purposes that had nothing to do with children. That includes the tax office and local councils.

The UK's Online Safety Act (2023) included provisions for client-side scanning that cryptographers worldwide warned would break end-to-end encryption. The government insisted it was only about child safety. Signal and WhatsApp threatened to leave the UK market entirely.

The EARN IT Act (US, introduced repeatedly since 2020) would strip Section 230 protections from platforms that use end-to-end encryption. This creates a legal incentive to abandon encryption, all in the name of child exploitation.

The infrastructure built to "protect children" becomes the infrastructure used to monitor everyone.

Age Verification Is Identity Verification

Here's what proponents of these bills don't say openly: there is no way to verify someone's age without also verifying their identity. Age is a property of identity. You cannot confirm one without revealing the other.

This means every "age verification" mandate is actually an identity verification mandate. Identity verification at the point of content access is surveillance by another name.

Consider what a fully compliant internet looks like under AB 1043:

• Every website knows who you are before you can read an article
• A third-party verification company has a log of every site you visit
• That log is one subpoena, one breach, or one policy change away from being public

This is the architecture of a surveillance state, built with the best of intentions.

The Real Harm to Children

Here's the cruel irony: these bills often make children less safe.

LGBTQ+ youth in unsupportive homes use anonymous internet access as a lifeline. Age verification with parental controls can out them. In states with active anti-trans legislation, this isn't hypothetical; it's dangerous.

Abuse victims searching for help need anonymity. If every search is tied to a verified identity that a controlling parent or partner can access, victims lose their escape route.

Young activists and journalists learning about civil rights, protest movements, or government accountability get a chilling message: your curiosity is being logged.

The kids most in need of protection are often the ones most harmed by removing anonymity.

What Actually Protects Children

Real child safety doesn't require mass surveillance:

• Investing in NCMEC and law enforcement: the National Center for Missing & Exploited Children is perpetually underfunded. Give investigators tools and resources, not dragnet infrastructure.
• Platform design choices: default privacy settings, algorithmic changes that don't push minors toward harmful content, and robust reporting systems.
• Education: digital literacy for kids and parents, taught in schools and communities.
• Prosecuting known offenders: the DOJ has a backlog of known child exploitation cases. Fund prosecution of actual crimes instead of surveilling everyone.

These approaches target the problem. AB 1043 targets the infrastructure of privacy itself.

Architecture Matters

This is why Penumbra exists. We believe the architecture of a system determines its potential for abuse. If a system can surveil, it will be used to surveil, regardless of its original intent.

When we build technology, the question isn't just "what does this do today?" It's "what could this be used for tomorrow, by someone with different intentions?"

AB 1043's authors may genuinely want to protect children. But the infrastructure they're building will outlast their intentions. In the wrong hands, or the right hands with expanding mandates, it becomes exactly the surveillance apparatus that free societies are supposed to prevent.

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." , Benjamin Franklin

The liberty being traded here isn't temporary. The surveillance infrastructure, once built, doesn't get dismantled. It gets expanded.

Follow the progress of AB 1043 at leginfo.legislature.ca.gov. Contact your California representatives if this concerns you.