KOSA and Chat Control both retreated on their most-criticized measures this week, but both kept mandatory age verification, the quiet mechanism that turns anonymous browsing into identified browsing for all of us, argues Billions CEO Evin McMullen.
On June 29, two of the most consequential internet bills in the democratic world moved at once. In Washington, the House passed the Kids Internet and Digital Safety Act, a package built around a revised Kids Online Safety Act, by 267 to 117. In Brussels, negotiators sat down for what was billed as the final trilogue on Chat Control 2.0, the EU's long-running child-protection regulation. Both had spent months under fire. Both, notably, retreated.
The US bill's authors dropped KOSA's controversial “duty of care,” the standard critics warned would turn platforms into speech police. EU negotiators dropped the mandatory client-side scanning of private messages, the provision that would have broken encryption for everyone. Civil liberties groups are, rightly, claiming partial victories.
But look at what survived in both. Age verification. Quietly, on both sides of the Atlantic, the measure nobody is fighting over is the one that reshapes the internet for adults as much as for children.
Evin McMullen is co-founder and CEO of Billions Network, which builds privacy-preserving verifiable identity for humans and AI agents.
Underneath the whole debate sits a false choice that some of technology's most powerful figures have spent years normalizing: that a safe, functioning digital society is something you buy with your privacy. Oracle's Larry Ellison has openly welcomed a future of constant AI surveillance in which, he says, "citizens will be on their best behavior." Bill Gates has become the most prominent champion of universal digital ID as essential modern infrastructure — a privacy-by-design promise that critics note keeps hardening, in practice, into the very surveillance it was meant to avoid. Both, in their way, treat identification as the price of admission to modern life. It isn't.
Here is the problem the child-safety framing obscures. To confirm that a user is old enough, a platform has to check the age, and usually the identity, of everyone who arrives, including the adults. As the Electronic Frontier Foundation put it this month, that turns anonymous browsing into identified browsing, and it manufactures exactly what a privacy regime is supposed to prevent: large, centralized pools of sensitive identity data, sitting on servers, waiting to be breached, subpoenaed or sold. And for most of the platforms compelled to collect it, that trove is not an asset but a liability: a crushing new obligation to secure information their businesses were never built to hold, with a risk surface that grows every time another user logs in.
This is not hypothetical. Britain is the preview. Under the Online Safety Act, the Office of Communications (Ofcom) has opened more than 90 investigations and started issuing fines, and users now hand over government IDs or submit to face scans to reach ordinary content. A single vendor reportedly powers age checks for around 60% of the sites that require them, a concentration of the world's identity documents that would make any security engineer wince. The stated goal is protecting children. The built artifact is an identity-surveillance layer for the entire population.
What makes this avoidable, and what almost no one in the legislative debate is saying, is that “verify age” and “collect identity” are not the same requirement. We have known for years how to prove a fact about a person without revealing the person. Using a zero-knowledge proof, someone can demonstrate they are over 18, or over 13, to a website that learns nothing else: not their name, not their date of birth, not a document it has to store. The proof is checked and discarded. No honeypot is created, because no identity is collected.
The EU, to its credit, has half-grasped this. Its own age-verification app is explicitly designed so a user can prove they are over 18 “without sharing any other personal information.” That is the right architecture. The trouble is that the laws mandating verification rarely mandate that architecture. They require the outcome, an age gate, and leave the method to whichever vendor is cheapest and most invasive. The US KIDS Act pushes platforms toward age checks without requiring that those checks be privacy-preserving at all. The result is predictable: the market reaches for the ID upload and the face scan, because they are easy, and the surveillance gets built by default rather than by design.
This is the fork worth fighting over, and it is being missed because the debate is stuck on the wrong axis. Legislators frame the choice as safety versus freedom; critics frame it as protection versus privacy. Both accept a false premise, that keeping children out of adult spaces requires identifying the adults. It does not. The real choice is between two ways of verifying age: one that minimizes data and forgets you the instant you pass, and one that maximizes data and remembers everyone forever. Only the second is surveillance, and only the second is currently the path of least resistance.
The window to insist on the first is now, while these bills are still moving. The KIDS Act heads to a skeptical Senate. Chat Control 2.0 is targeting political agreement in July. In both cases the principle, that platforms should be able to tell adults from children, has effectively been settled. What has not been settled is whether that capability is built on privacy-preserving proofs or on a mountain of uploaded passports. That is a technical decision with civil liberties consequences, and it is being made, right now, largely by default.
There is a larger reason to settle this well, and settle it now. The old sorting of internet traffic into “bot or human” is already breaking down: a verified third category is arriving, AI agents acting, with authorization, on behalf of people, companies and governments, and they will soon need to prove what they are permitted to do without unmasking whoever stands behind them. “Know Your Agent” will demand the very same privacy-preserving architecture we are arguing over now for people. Decide it well for human age checks, and we set the pattern for everything that follows. Decide it badly, and we hard-wire surveillance into the identity layer of the internet, for humans and machines alike.
Protecting children online is a legitimate aim, and anonymous browsing and encrypted messaging are not sacred because they are convenient; they are load-bearing for dissidents, abuse survivors, journalists and ordinary people alike. The good news is that we do not have to trade one for the other. The technology to verify age without surveilling the verifier exists and is deployable today. The only question is whether lawmakers write it into the rules, or whether we discover, a few breaches from now, that we built a global identity-tracking system and called it child safety.
Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates.
Stablecoin market cap fell to $312B in June, its largest monthly drop since TerraUSD, while tokenized equity volumes surged 145% to a record $3.86B.