GoKawiilImagine your favorite team just scored an incredible, last-second goal at the World Cup. So you log online to celebrate with other fans. But, using data it’s already collected on you, the social media platform you like to post on wrongly guesses that you’re under 16 so it forces you to go to a third-party verification app and provide images of your face or your government-issued ID. You don’t really know much about the verification app, what country it’s based out of, what happens with your information, and whether you’re protected from hackers or data breaches. You’re not happy about it, but you hand over a photo of your passport and hope it doesn’t come back to haunt you.
Now imagine that instead of posting about sports, you’re criticizing a powerful politician, or talking about your experiences with abuse or addiction, or discussing embarrassing medical issues you’re facing. Suddenly this “papers, please” approach to the internet sounds even more invasive, right? Unfortunately, that’s the direction we’re all headed — even here in the United States — and we have good reason to be wary of the global rush to sacrifice user privacy on the altar of age verification.
How has this worked (or not) in Australia?
Australia’s social media ban for under-16s went into effect in December 2025 and set a landmark standard many other nations now look to when crafting their own such regulations. As a preliminary matter: This law is not working as intended. The government’s own research found that months after the institution of the ban, roughly seven out of 10 kids still were using social media. And a study just released in the British Medical Journal found “little evidence was found of immediate substantive reductions in reported social media use by adolescents under 16 years.” Secondly, phones are already banned in Australian schools, so this ban is intended to address what kids do on the internet in their own free time, not during class time.
So, what exactly does this law — one that is rendered irrelevant during the school day, and isn’t even working properly outside it anyway — actually mandate? Well, pretty much what was in the hypothetical described earlier in this piece, except it’s not at all a hypothetical anymore.
Australia’s law mandates that social media companies, at risk of massive fines, collect either biometric info, government-issued IDs, or other data from users because they now have a duty to take sufficient steps to ensure users under 16 are kept logged out. In some cases, platforms can use existing data they have on users to verify age, like if an account has been open for a sufficient number of years, but will in many scenarios need to verify independently by gathering more user data. This is where third-party verification tools come in.
Look at Snapchat, for example. Snapchat uses k-ID, a company based in Singapore, and allows verification through a banking connection, government ID scan, or selfie the company uses to provide an age range. This requires quite an investment of trust on the user’s end. How do third-party companies like this retain and protect data? What kind of laws govern these companies abroad? Is such a company in another country more susceptible to censorial requests from local or foreign governments?
Australia does order that personal information collected for age verification “must be destroyed once all purposes have been met.” But those purposes include challenges and complaints, so it’s unclear exactly how long data will be retained on users who object to wrong age classifications. Worryingly, in research conducted before the ban went into effect, Australia’s Age Assurance Technology Trial “found some concerning evidence that in the absence of specific guidance, service providers were apparently over-anticipating the eventual needs of regulators about providing personal information for future investigation…which could lead to increased risk of privacy breaches due to unnecessary and disproportionate collection and retention of data.”
The longer that information is retained, and the more that is collected for verification, increases the risk of breaches or hacks that threaten a user’s privacy. Now multiply that individual risk by millions.
We don’t even need to imagine the hypothetical here, because it happened to nearly 70,000 Australians just weeks before the under-16 ban went into effect. A breach of a third-party customer service app Discord used “mainly to deal with” — guess what — “complaints relating to the platform’s age assurance processes” was hacked, leading to the release of “government ID images, names, usernames, email addresses, and some limited billing information.”
... continue reading