As governments push stricter online child safety rules, digital rights advocates warn about the risks of collecting IDs and facial data.

A landmark trial against Meta and YouTube is underway, as the companies face claims that their platforms harm children’s mental health.

This comes as lawmakers around the world are advancing new child safety laws — including age-verification requirements that could require users to upload a government ID or submit facial scans to confirm their age. But some digital rights advocates warn that efforts to make the internet safer for children could introduce new privacy risks, especially if sensitive personal data is collected or stored by third-party vendors.

Marketplace’s David Brancaccio spoke with Kian Vesteinsson, senior researcher at Freedom House — a nonprofit focused on democracy and human rights — for more on the tension between child safety legislation and online privacy. The following is an edited transcript of their conversation.

David Brancaccio: Age verification for what we get access to online — I mean, to keep younger people away from harmful or age-inappropriate content — you’re not against that in itself?

Kian Vesteinsson: That’s right. Protecting children from the worst of the internet is a pressing policy aim. There’s plenty of evidence that children using social media platforms can face real harms. But the important thing here is that online anonymity has long been a key enabler for free expression, free speech, and access to online information, and we need to make sure that we protect it.

Brancaccio: And you have specific concerns about if we are asked to verify our age before getting access to certain content, what are people doing with the ID that we present?

Vesteinsson: So it might be helpful to take a step back, because there are a couple of different ways that companies go about doing this. When a platform has a lot of data about a user, it is possible to forecast their age based on their online activities. This is usually called “age inference,” and it tends to require really sophisticated machine learning tools.

For example, you know, my YouTube history has been live videos of Prince guitar solos and instructions on how to make the best chicken stock. That’s a pretty good signal that I’m an adult. My account has been active for around 20 years on YouTube; that’s another great signal that I’m an adult. But this sort of inference isn’t always possible, so in those circumstances, companies need to check someone’s age by guessing using analysis of their facial features — like their facial hair, for example, or wrinkles — or by scanning a government-issued identification card. And it’s at this stage that we see really sensitive personal information introduced into the picture. That’s where the privacy and security concerns come in.

Brancaccio: It’s happened to me before. There was somebody tampering with one of my online accounts, and I think it was Meta[‘s] Facebook asked me to take a picture of myself holding up my driver’s license. That should have made me more nervous at the time?

Vesteinsson: Well, that’s a really good example where you are opting into this face comparison to get something that’s yours. But age verification measures introduced at scale pull an incredible amount of personal data into the online ecosystem. Last fall, Discord disclosed that hackers had breached a vendor doing age verification services. Discord estimates that in this one single breach, around 70,000 people had their government ID cards exposed in the hack, and now presumably transacted by cyber criminals on the internet. We should also anticipate that these companies will be a target for state-backed hackers.

Brancaccio: Because there are good ways and bad ways to do this. There are ways that are more vulnerable, but there are ways — you’re persuaded in this world of hackers, where there’s a decent chance that your data will be safeguarded?

Vesteinsson: There are promising efforts being developed right now to do age verification in a way that’s privacy-preserving, but they’re not ready to go to market. One model that’s gaining steam involves creating third-party digital infrastructure that would check a government-issued identification card and then immediately delete any associated sensitive data. This would be [a] nonprofit third-party tool. That service could then supply a token confirming someone’s age when they request it in order to access a social media platform. But it’s going to take time and money to figure out how to do this in a privacy-preserving way, and as we invest in developing these tools, policymakers should look towards other mechanisms, rather than these sort of blunt-hammer age-verification approaches.

Brancaccio: I’ve been focused on hackers, however we define those. Do you have an additional worry that, depending on which government you’re talking about in some part of the world, that, in fact, governments could get a hold of this private data and misuse it?

Vesteinsson: Yes, age verification laws are ripe for abuse in countries with weak rule of law and widespread government surveillance. Freedom House puts out a report each year that assesses conditions for free expression and privacy online in 72 countries around the world. Our research has found that authorities in many countries deploy censorship and surveillance to target online expression of dissent. In fact, we estimate that 81% of the world’s internet users live in countries where people have been arrested or imprisoned for posting content about political or social issues as of mid-2025.

In environments like these, there is considerable risk in connecting a person’s online activities to a photo of their face or their identification card. Now, most countries have legal procedures in place that empower law enforcement to request user data from private companies in order to investigate crimes. This is standard practice. It’s normal, and it’s necessary, but our research has found that repressive governments routinely abuse standard legal process for data requests in order to target activists or people criticizing government conduct on the internet. And age verification poses an enormous risk to empower authorities to abuse those laws even further.

Market place

PayPal officially disclosed a significant data exposure incident involving its PayPal Working Capital (PPWC) application. In a newly circulating security incident, PayPal confirmed that sensitive customer information was exposed for nearly six months in 2025 due to a software flaw in one of its business financing tools.

The breach affected users of PayPal’s Working Capital loan application, exposing a wide range of personally identifiable information, including highly sensitive data such as Social Security numbers and dates of birth. According to PayPal, the incident originated from a coding error within the PayPal Working Capital (PPWC) loan platform.

The company says the issue persisted from July 1 until mid-December 2025 before being identified and rectified

PayPal data breach exposed sensitive user data for six-month period; what you need to know

PayPal officially disclosed a significant data exposure incident involving its PayPal Working Capital (PPWC) application. In a newly circulating security incident, PayPal confirmed that sensitive customer information was exposed for nearly six months in 2025 due to a software flaw in one of its business financing tools.

The breach affected users of PayPal’s Working Capital loan application, exposing a wide range of personally identifiable information, including highly sensitive data such as Social Security numbers and dates of birth. According to PayPal, the incident originated from a coding error within the PayPal Working Capital (PPWC) loan platform.

What should users do?

It is recommended for users to take following steps:

• Enrolling in credit monitoring services
• Placing fraud alerts or credit freezes if necessary
• Updating passwords across financial accounts
• Being cautious of unsolicited communications

PayPal’s latest disclosure adds to a growing list of high-profile data exposure incidents in the financial sector, underscoring the risks associated with digital financial services in an increasingly digital economy. The incident highlights ongoing challenges in the wake of rising security threats. The prolonged duration of these security challenges-nearly half a year-raises questions among regulators and customers regarding detection capabilities and internal monitoring processes.

By The News Digital

TikTok’s U.S. joint venture seems to have survived a turbulent rollout with minimal change in usership, as early narratives of a mass user exodus prompted by service outages and censorship concerns now appear overstated, according to new figures.

Survey data from market intelligence firm Sensor Tower show that, despite a surge in deletions following the announcement of TikTok’s U.S. joint venture on Jan. 23, the average number of TikTok’s daily active users in the U.S. remains around 95% of its usership compared to the week of Jan. 19-25.

The joint venture — officially the TikTok USDS Joint Venture — was established in compliance with U.S. President Donald Trump’s executive order mandating the divestiture of TikTok in the U.S. from its Chinese parent company ByteDance.

While ByteDance retains a 19.9% stake in TikTok’s U.S. operations after the agreement, Oracle, Silver Lake, and Abu Dhabi-based investment firm MGX each own a 15% share, with the remaining shares divvied among several other firms.

Following the announcement, users were quick to express discontent over TikTok’s new ownership.

The deal drew scrutiny, with prominent figures like Sen. Bernie Sanders (I-Vt.) raising concerns about cronyism over Oracle co-founder and Chief Technical Officer Larry Ellison’s involvement.

Following the joint venture’s announcement that Ellison’s Oracle would “retrain, test, and update the content recommendation algorithm on U.S. user data”, online speculation mounted that TikTok would begin mining user data or promoting content supportive of Trump’s policy positions.

Such concerns spiked on Jan. 25, with users claiming that TikTok was suppressing content critical of controversial Immigration and Customs Enforcement operations, and censoring buzzwords like ‘Epstein’ on the platform.

Last month, CNBC confirmed that messages containing the word “Epstein” triggered an error message, but was unable to independently verify broader claims of political censorship.

Asked about the issues, a spokesperson for the TikTok joint venture told CNBC in January that the platform does not prohibit sharing the name ‘Epstein’ in messages and that it was investigating why some users are experiencing the problem, among others.

CNBC reached out to the White House and TikTok for comment but did not receive a response by publication.

Engagement metrics unchanged

Although TikTok attributed last month’s disruptions to power outages, the glitches “no doubt impact[ed] how and what content was being served, even without any intent or motive,” according to Jim Johnston, partner at law firm Davis+Gilbert LLP.

Yet despite various user pledges to boycott the platform over apparent political suppression, engagement metrics among U.S. users suggest there has been little sign of a mass exodus.

The average daily time spent by American users on the platform has since returned to around 80 minutes, after dipping to an average of 77 minutes during the week of the reported disruptions, according to Sensor Tower data.

Additionally, while deletions spiked after the reported disruptions, they tapered off the following week, suggesting a temporary surge rather than a sustained boycott of the app.

“It is plausible that the short-lived rise in observed uninstalls was due to an attempt to troubleshoot the app,” Abraham Yousef, senior insights analyst at Sensor Tower, told CNBC, as the number of uninstalls followed by re-installations on the same day surged more than 70% on Jan. 25 from the day before.

While Yousef grants that the data suggests a “slight impact to overall usage” in the weeks after the Joint Venture was announced, there is no clear indication of a structural shift in user trends, as many sites touted as alternatives to TikTok have also struggled to sustain interest.

According to Sensor Tower, the number of new installs for UpScrolled – a social media platform that offers an algorithm free of automated systems that filter out content from some users known as shadow banning – surged by about 770% from the previous week, with more than 955,000 new U.S. downloads over the week of Jan. 26 to Feb. 1.

New UpScrolled downloads, however, fell sharply by about 80% the following week, bringing in only around 191,000 new users. In comparison, TikTok registered 870,000 downloads over the week of Jan. 26 to Feb. 1, and around 800,000 the following week.

Similarly, new downloads of other alternative platforms such as Skylight Social and Red Note respectively declined by 96% and 33% week-on-week from the week of Jan. 26.

Tenuous evidence of mass exodus

Sensor Tower’s user data more fundamentally seems to suggest that beyond anecdotal claims, users have largely been unable to identify tangible changes in TikTok’s American operations, or at least, not enough to meaningfully shift user sentiment.

“The idea of a mass exodus from TikTok now looks overblown,” Kelsey Chickering, principal analyst from Forrester, told CNBC. “Anecdotally, most users say the app feels largely the same – the algorithm hasn’t meaningfully changed, and the experience is still strong,”

While some American users may have perceived changes in the operation of their TikTok algorithms, “some changes to content suggestions are bound to occur simply due to the changed data set,” according to Johnston, referring to the Joint Venture’s announcement to retrain the algorithm on U.S. data.

But while analysts have been unable to find evidence that TikTok’s new American owners have engineered the platform in their favor, this is not a foregone conclusion.

According to Johnston, there are at least three notable changes to TikTok’s new terms of use, including the platform’s ability to collect precise location data from enabled devices, its collection of data on interactions with artificial intelligence tools on the app and its explicit integration with ad networks.

Although there has been no hard evidence of its occurrence, it remains technically possible to adjust TikTok’s algorithm to enhance or diminish the impact of certain types of content on recommendations, Johnston said.

Chickering adds that under its new owners, TikTok has more control over what shows up on American feeds, but this control, according to Chickering, is where TikTok’s opportunity – and risk – lies.

“If moderation starts to feel politically slanted or misinformation isn’t adequately addressed, the platform could face backlash from users and advertisers alike,” Chickering said, “We’ve seen this play out before: Twitter’s shift to X is a recent reminder of how quickly trust can erode.”

For now, however, the discontent from TikTok’s American users that marred its first few weeks under new ownership seems to have largely subsided.

As Chickering notes, “we’ve seen time and time again, if the product works, users tend to stick around regardless of who owns it.”

— CNBC