Monday, 6 July 2026 · Independent · Unbought
World · Analysis

Congress unmasks whistleblowers under child-safety rules

A reporter was subpoenaed over her sources as Congress passed an age-verification law that could unmask whistleblowers next time.

Congress unmasks whistleblowers under child-safety rules
Highlighting your child’s milestones is a great way to celebrate them. However, be mindful of what information you are sharing with the public. Refrain from sharing personal information such as the child’s school, teacher, age and favorite things. It’s also important to be mindful of your surroundings when taking photos to avoid sharing identifiable location information. (U.S. Army photo by Kristin Savage, USAG Benelux Public Affairs

Ellen Nakashima spent her career persuading people inside government to talk to her. On 23 June the Justice Department served her, and three Wall Street Journal reporters, with grand jury subpoenas demanding she reveal who told her what Donald Trump’s administration was planning on Iran. The subpoenas were withdrawn within days. The point had already been made: this White House will go after a named reporter’s sources directly.

A year earlier, on 25 July 2025, the day the UK’s Online Safety Act’s age-check rules took effect, a video of police restraining a protester outside the Britannia Hotel in Seacroft, Leeds, became inaccessible to UK users on X. No child was protected by that. A citizen’s record of what police did to him in public disappeared behind the same machinery built, we were told, to stop children seeing pornography.

These two events, an ocean apart, are the same story. Age verification does not check age. It checks identity. And a law built to gate children out of harmful content necessarily builds a database of every adult who wanted to stay anonymous, including the whistleblower, the dissident and the reporter’s source.

The bill that passed while nobody was watching

On 29 June the House of Representatives passed the Kids Internet and Digital Safety Act, known as the KIDS Act, by 267 votes to 117. It now goes to the Senate. The bill does not, on its face, order every platform to check every user’s date of birth. What it does is define “sexual material harmful to minors” broadly enough that platforms carrying adult content, including general-purpose sites like X and Vimeo, face serious legal exposure unless they verify who is looking. As the writer Taylor Lorenz put it, in an analysis by Freedom of the Press Foundation’s Caitlin Vogus and the Center for Democracy and Technology’s Aliya Bhatia: there is no way to reliably verify someone’s age without verifying who they are.

Vogus and Bhatia’s warning, published two days before the vote, was blunt. Mandating age verification, they wrote, “effectively hands Big Tech and the government a skeleton key to the identities of every whistleblower, dissident, and investigative reporter who uses online platforms.” A source who wants to warn the public about a war can no longer knock on that door unmasked. A reporter who wants to run an anonymous account to document an extremist group, or to publish safely from inside a hostile state, loses the option entirely.

Democrat Frank Pallone, who has previously condemned the FCC for using its powers against press freedom, helped negotiate the deal that produced this bill anyway. That is worth naming, because this is not a story about one party’s villainy. It is a story about a mechanism that any government, of any colour, now has reason to want.

Britain already built the machine

None of this is speculative for a British reader, because Britain built the prototype first. The Online Safety Act has required “highly effective” age checks, facial scans, photo ID or credit card verification, since July last year. Ofcom has already fined one operator, Kick Online Entertainment, £800,000 for failing to run them properly, and holds provisional findings against three more platforms. Its statutory report on how well age assurance is actually working is due by the end of this month, the document that will set the terms for the next round of enforcement.

In June, Ofcom published guidance recommending rapid “crisis response” protocols for platforms during sudden spikes in harmful content. Open Rights Group has warned this reaches directly into livestreamed footage of police confrontations, the exact kind of material that vanished from view in Leeds. VPN use in the UK jumped by more than 1,400% on the day the age-check rules bit. Ofcom admits it cannot block VPN use. Its own March consultation floated whether turning a VPN on should itself trigger an age check.

The company behind the curtain

In February, security researchers found that Persona, the identity-verification firm behind Discord’s UK age-verification trial, had left its government dashboard codebase, 53 megabytes and 2,456 files, exposed on a public server. What the files showed was not a simple age gate. Researchers documented 269 separate verification checks running behind the scenes: facial recognition matched against watchlists, screening for “politically exposed persons”, and adverse-media screening across categories that include terrorism and espionage. Persona’s stack, according to the exposed files, can file reports directly to the US Treasury’s financial crimes unit and Canada’s equivalent. It retains IP addresses, device fingerprints, ID numbers and facial images for up to three years. Persona disputes how its architecture has been characterised; the files themselves, sitting on a public server, are not in dispute.

Persona is backed by Peter Thiel. It also screens users of OpenAI’s products. Discord’s previous verification partner was breached in October 2025, exposing roughly 70,000 government ID photographs that were later held for ransom. A firm supposedly checking whether a teenager can watch a video is, on the same books, screening faces against terrorism and espionage watchlists and reporting to state financial-crime agencies. That is the tool a child-safety law hands to every government that adopts it.

Who benefits, who pays

The state gets a database it never had to build a warrant for. The vendor gets a government contract and a commercial data asset that runs for years past the point anyone remembers giving consent. The whistleblower, the protester and the reporter’s source get nothing but exposure. Critics of this argument will note, correctly, that the KIDS Act does not use the word “mandate” and that the DOJ withdrew its subpoenas against Nakashima and her colleagues. Both are true, and neither matters much. A platform facing liability for hosting the wrong content will verify identity anyway, because the law makes the alternative too expensive. And a government that can pull a name from an age-verification database no longer needs to subpoena a newsroom at all. There is no editor to say no.

Real children are harmed online and that harm is real. The answer being built on both sides of the Atlantic is not a better gate. It is a permanent record of every adult who tried to walk through anonymously, sitting on a server owned by a company that already answers to the Treasury.