A Regulator's Impulse
Hasten Slowly on Social Media Restrictions
This article is a companion piece to that entitled “A Regulator’s Reflex” which can be found here. It deals with the issue of social media access restrictions and explains the danger inherent in the proposition - to paraphrase an old saying - “Legislate in haste; repent at leisure”
Introduction
Stuff reported on 16 June some interesting comments by Education Minister Erica Stanford, who now seems to be leading the charge for what has been described as a social media ban for under 16 year olds.
As matters stand what Catherine Wedd’s bill proposes is not a ban. It is a set of managed restrictions. The proposal is that nominated platforms will be required to restrict or prohibit access to those who are under 16 when they sign up.
But “ban” is more dramatic. Stuff’s position is clear from a banner in the 16 June article which reads
Stuff is currently, reporting in-depth on the need to regulate social media platforms who are not doing enough. You can read Editor-in-Chief Keith Lynch’s op-ed here.
If you have a careful look at the wording the need to regulate social media platforms is assumed as is the suggestion that they are not doing enough. So I don’t think that an unbiased view is going to come from Stuff’s editorial suite any time soon.
Ms Stanford is reported as being encouraged by the UK’s proposed ban (now that IS a ban) which she considered as helpful in building a consensus to stand up to the social media giants.
She is reported as saying
“This is now sort of a tsunami of countries who are wanting to protect young people from big tech, essentially,”
But she is a lady in a hurry, saying that she wasn’t willing to wait any longer to monitor other jurisdictions before she moves to introduce legislation.
“Every minute that we waste, another young girl has been fed awful information about her weight and her looks, and she’s being told that, ‘how about you know going to use this blade to cut yourself’
We cannot afford to wait to make sure that we’re protecting our young people from these harms.”
So the proposal is one that attracts, even although it interferes with parental autonomy. But to criticize the concept of social media restriction for the young is to divert the argument to one where the critic is uncaring about the welfare of children.
An editorial in the Herald for 19 June 2026 provided support for parental autonomy, and given Stuff’s position, it provided a welcome point of difference. The editorial contains the following remarks:
“…Unicef Aotearoa chief executive Susan Glasgow argues that Aotearoa does not need to lock children out of their online world; it needs to make their online world safer. She believes New Zealand needs to regulate the companies creating the harm and that a ban will not work.
A report found that more than 60% of children in Australia continue to use social media despite the country’s ban. They are often able to circumvent restrictions and, in many cases, remain active users.
This paper, in an October 2024 editorial, noted that a ban is not the answer and that the time to introduce controls was three decades ago.
However, if New Zealand’s Government follows through and imposes restrictions, platforms and parents need to do their best to help make it work, despite any practical challenges.
Ultimately, it is up to parents. They have the responsibility to protect their children and have rules, just like good parents have for generations.
In this regard, social media should be no different to curfews, driving, hanging out with the wrong crowd, smoking and drinking alcohol.”
There are a number of concerns about restricting social media for under 16’s. Although on first glimpse it appears to be a targeted approach it is in fact one that will affect all internet users, directly or indirectly.
The first issue involves the nature of the restrictions – restriction or ban.
The second issue involves cross-border issues – on a proposal such as this given that the platforms occupy a world without borders, surely an approach to standardise or harmonise rules would be the preferred course of action.
The third issue is the way in which an age verification programme will be put in place. I have already written on this and my critique has even attracted the attention of the Department of Internal Affairs which, although not confirming directly that it will be involved, has done so inferentially by attempting to defend its turf. My response to the DIA can be found here.
The final issue is that of enforcement. For the Rule of Law to have any credibility, the law has to be applied and enforced. Ms. Stanford acknowledges that the “ban” will not be effective at 100% of young people. She then likens social media to cocaine which is an apples and oranges approach to the issue – but an emotive and subjective one, which is a characteristic of Ms. Stanford’s approach.
But as I said she is a lady in a hurry and the note of urgency that she sounds could well cause problems in the future. Hasty legislation is generally bad legislation which proves to be unworkable or unenforceable or worse still laden with unintended consequences once an activist judiciary comes into the picture.
In this article I will consider the wider issue, the approaches of other countries, how they are working and what problems may be encountered down the track. It is unlikely these remarks will inhibit Ms. Stanford’s regulatory impulse but at least it will put the issues in the public domain.
Implementation, Scope, Verification and Enforcement
In December, Australia switched on the most ambitious child-protection experiment the internet has seen: a nationwide prohibition on anyone under 16 holding a social media account.
Six months later, the most honest assessment of the policy comes not from a regulator or a think tank but from a 15-year-old in Canberra named Olivia Olsen, who still has her TikTok account and reports that, on the day the law took effect, “nothing changed.”
That verdict ought to give pause to the lengthening queue of governments now lining up behind the Australian model.
Britain has just announced its own ban for under-16s, to take effect in early 2027, with Prime Minister Keir Starmer promising restrictions that “go further than any other country.”
France, Spain, Greece, Austria, Denmark, Malaysia, Indonesia and Canada are at various stages of the same journey, and the European Union’s leadership has begun reframing the question as whether social media should have access to children rather than the other way round.
The political momentum is real, the public support is overwhelming, and the underlying anxieties are legitimate. But the policy being sold as the answer is one that has already failed its first live trial — and the apparatus required to make it succeed is more dangerous than the problem it claims to solve. The evidence for that is no longer hypothetical. It has been accumulating, in Australia and in Britain’s own earlier experiments, for the better part of a year.
A real problem, badly answered
It is worth stating plainly what these laws are responding to, because the case for action is not frivolous.
Senior police in Britain have warned that the architecture of social media and messaging apps lets predators reach children at scale, and that young people have been coerced into sharing intimate images and then blackmailed.
Recommendation algorithms have funnelled vulnerable teenagers toward content glorifying self-harm and extreme violence. The death of Molly Russell — a 14-year-old who took her own life in 2017 after consuming a stream of suicide and self-harm material served to her by the platforms — remains the moral centre of gravity in Britain’s debate, and rightly so.
These harms are not invented, and parents who feel they are losing a daily war of attrition against engineered compulsion are not imagining things.
The question is not whether the problem is serious. It plainly is. The question is whether a blanket age ban, enforced through population-wide age verification, actually fixes it — or whether it offers the appearance of protection while building infrastructure that governments will find difficult to dismantle and easy to repurpose.
The evidence is already in, and it is not encouraging
The great advantage of being second is that you get to watch what happened to the country that went first. Australia’s results are now available, and they are damning.
Australia’s eSafety Commission, the body charged with enforcing the law, reported that roughly seven in ten parents whose children already had an account said their teenagers were still on a restricted service.
An online survey of more than a thousand young Australians suggested that over 60 percent of under-16s were still using their accounts. In January the regulator trumpeted that platforms had “removed access” to some 4.7 million children’s accounts — but the children, it turns out, simply walked back in through the side door.
The workarounds are almost comically simple. Teenagers draw a moustache on their faces to fool an age-estimation camera. They enter a fake birth date. They borrow a parent’s or older sibling’s login. Many report that their accounts never stopped working at all.
One mother told reporters she did not know a single person who had actually lost an account; the kids, she said, treat the whole thing as a joke.
This is the foundational problem with the entire approach. A law that the people it targets can defeat with a felt-tip pen is not regulation; it is theatre. And the evidence that it is theatre was available before Britain announced its own version — the British online safety minister even flew to Australia to study the rollout — which makes the decision to proceed regardless a telling one.
Britain has already run a smaller version of this experiment
The under-16 social media ban is new, but Britain has already lived through a dress rehearsal for the verification regime it will require.
In July 2025, the age-assurance provisions of the Online Safety Act came into force, obliging sites that host pornography and other content deemed harmful — material relating to suicide, self-harm and eating disorders among it — to deploy “highly effective” age checks, typically a government ID upload or an AI facial scan.
The public response was instantaneous and instructive. According to the VPN provider Proton, UK sign-ups jumped by more than 1,400 percent within minutes of enforcement, a sustained surge the company compared to levels normally seen during civil unrest.
The monitoring service Top10VPN recorded UK VPN traffic spiking roughly 1,300 percent on the first day and climbing toward 2,000 percent over the following days; NordVPN reported a tenfold rise in subscriptions.
On enforcement day, half of the ten most-downloaded apps in the UK App Store were VPNs or identity tools. A petition to repeal the age-verification rules gathered more than double the 100,000 signatures needed to force a parliamentary debate.
A VPN, for the uninitiated, makes a user’s connection appear to originate abroad, sidestepping the age check entirely — and a child capable of installing one (which is to say, almost any child) is returned to exactly the unverified internet the law sought to wall off.
Britain’s own regulator, Ofcom, was reduced to telling platforms they may not encourage VPN use and warning parents that children behind a VPN lose the protections altogether: an implicit admission that the wall has a door, the door is unlocked, and the regulator knows it.
This is the regime Britain now proposes to extend from pornography to the whole of mainstream social media, applied to a far larger population of far more motivated teenagers.
The real cost is the verification machine
Here is the part of the debate that gets too little attention, drowned out by the emotional weight of the harms the bans are meant to address. To enforce an age limit online, a country has essentially three options, all of which carry risks.
The first is document-based verification: users upload a passport, a driver’s licence or other government ID to prove their age.
This does not merely inconvenience teenagers; it requires adults — everyone — to hand identity documents to private platforms, or to third-party verifiers, in order to read the news, find a job, organise a protest or simply talk.
It converts every covered service into a repository of the population’s most sensitive data: a honeypot that will, sooner or later, be breached.
This is not a speculative fear. It is a documented pattern, and 2025 supplied two textbook cases.
In October, Discord disclosed that attackers had reached roughly 70,000 users’ government IDs — passports and driver’s licences submitted, in part, to satisfy age-verification appeals — by compromising a third-party customer-support vendor; the breach also exposed names, email addresses, partial card numbers and IP addresses, and the hackers claimed to have siphoned far more than Discord admitted.
A few months earlier, the women’s-safety app Tea, which required a selfie and a government ID to join, left some 72,000 images — about 13,000 of them verification selfies and photo IDs — sitting in an unprotected cloud bucket; they were discovered on the message board 4chan and promptly mirrored across torrent sites. A hastily built rival app then leaked its own users’ licences within days of launching.
The lesson is not that these particular companies were careless, though they were. The lesson is that mandating the collection of identity documents at internet scale guarantees that some of them, somewhere, will end up in the wrong hands — and a leaked passport, unlike a leaked password, cannot be reset.
The second option is biometric age estimation: a camera scans your face and an algorithm guesses how old you are. This is the system Australian teenagers defeated with a drawn-on moustache, and the spoofing is not the only weakness — the underlying accuracy is shakier than vendors’ marketing suggests, precisely in the age band that matters.
The U.S. National Institute of Standards and Technology, which independently tests these algorithms, has found mean errors of several years for adolescent subjects; by one analysis of its data, fewer than 35 percent of 13-year-olds were pinned to within a year of their true age by any system tested, and error rates ran higher for girls than for boys. A tool that routinely mistakes a 13-year-old for a 16-year-old, or a 17-year-old for a 20-year-old, will wrongly admit children and wrongly exclude adults at scale.
But accuracy is almost the lesser concern. To normalise the routine facial scanning of the entire population — including, necessarily, the biometric processing of children’s faces — as the price of admission to ordinary online spaces is to accept a surveillance posture that would have been unthinkable as a stand-alone proposal. Smuggled in under the banner of child safety, it arrives nearly unopposed.
The third option is the EU model – a shared age verification app which I described in this article.
Rather than leaving every member state and every platform to invent its own solution, the European Commission took an unusual step — it commissioned and built a reference age verification application itself.
A blueprint for an EU age verification app was released in July 2025, serving as a basis for a harmonised approach across member states. An enhanced second version followed, and on 15 April 2026, Commission President Ursula von der Leyen announced that the EU age verification app was technically ready, with arrival on European smartphones expected by summer 2026.
The app works in three ways. It offers three methods to prove age: national ID card verification, passport-based verification including biometric matching, or attestation via a trusted third party such as a bank or established digital identity provider.
But is this transportable? It is not because it is designed to operate within the protective framework of the highly structured EU data protections and is connected to the EI Identity wallet. Thus although the EU model is state based it is designed to fit within the EU framework
The Platforms’ Response
Even the platforms see where this leads. Meta, responding to Britain’s announcement, argued that any restriction must rest on age verification built into the device rather than forcing people to surrender ID to dozens of separate services.
That is a real improvement on the honeypot problem — but it also concentrates the gatekeeping power over internet access into the hands of Apple and Google, and it still requires that someone, somewhere, holds an authoritative record of how old you are and ties it to your hardware.
There is no version of mandatory age verification that does not end in a durable, centralised link between a real human identity and online activity.
That link is the prize, and once the infrastructure exists, the temptation to use it for purposes well beyond protecting children — fraud prevention, “misinformation,” law-enforcement access, eventually whatever a future government decides — is the oldest story in the regulation of speech.
Mission creep is not a risk of these systems; it is their natural trajectory. Britain’s own experience shows it already under way: a regime sold as a shield against pornography has, within a year, become the template for gating mainstream social media, and the same providers now talk of extending checks to gaming, livestreaming and AI chatbots.
“They get around other laws, too”
Defenders of the ban have an answer to the circumvention problem, and it deserves a fair hearing.
Starmer dismissed the objection by analogy: teenagers manage to get hold of alcohol, he argued, but no sane person concludes that we should therefore stop banning alcohol sales to minors. Imperfect enforcement, on this view, is no argument against a law that shifts the norm and protects most children most of the time.
The analogy is seductive and wrong. Alcohol is a physical product sold at a physical counter; the age check happens once, at the point of sale, by a human glancing at a face or an ID.
Social media is speech, information and connection, accessed continuously from a device. To “check ID at the counter” for the internet, you must build a system capable of verifying the age — and therefore, in practice, the identity — of every user, on every covered service, every time. That is not a doorman with a clipboard. That is a standing identity-verification layer over a substantial part of public life.
The alcohol comparison smuggles in the assumption that the enforcement mechanism is cheap and contained. The VPN exodus and the breach headlines show it is neither.
A patchwork of bans, a common flaw
The international picture reveals how unsettled the underlying thinking is. Australia and Britain target the under-16s. France and Greece have settled on under-15, Austria on under-14. Denmark aims at under-15 but lets parents grant permission from 13.
Brazil declined to ban at all, instead requiring children’s accounts to be linked to a guardian and outlawing “manipulative design.” China simply blocks much of the Western internet and rations its own, capping minors’ video-gaming at three hours a week. Malaysia and Indonesia have their own thresholds and platform lists.
Britain, going furthest, proposes to bolt on livestreaming bans, limits on contact with strangers, restrictions reaching into gaming and even age limits on AI companions, plus musings about overnight curfews and forced breaks in infinite scrolling.
The striking thing is how arbitrary the age lines are — 14 here, 15 there, 16 elsewhere — for a harm that does not respect borders or birthdays. That arbitrariness is a symptom. It reflects the fact that “16” is a political number, not a developmental one, and that the policy is being driven by the need to be seen to act rather than by evidence about what actually protects a developing brain.
There is also a revealing gap in the British proposal: messaging apps such as WhatsApp and Signal are excluded. Yet much of the most acute harm police describe — grooming, sextortion, the private coercion of children — happens precisely in messaging, not in public feeds. A ban that leaves the principal channel of one-to-one predation untouched while imposing identity verification on the public square has its priorities exactly inverted.
When the courts get a say
The clearest preview of how these laws fare under genuine legal scrutiny comes from the United States, where free-speech protections are unusually muscular and where roughly half the states have enacted some form of online age-verification rule.
The result has been less a wave than a cyclone of litigation, with the tech trade group NetChoice challenging statute after statute — and, on the general-purpose social media bans, winning more often than not.
In December 2025, a federal court permanently struck down Louisiana’s age-verification law, with the judge warning that the state cannot wield a “free-floating power to restrict the ideas to which children may be exposed” and likening the scheme to posting an ID check outside the door of a library.
A federal judge in Arkansas threw out that state’s parental-consent law in similar terms, writing that it took “a hatchet to adults’ and minors’ protected speech alike” where the Constitution demanded a scalpel. Other states have fared better — Florida’s law has survived, for now, on appeal — and courts have been more willing to permit age checks narrowly for pornography than for social media at large.
But the recurring judicial objection is precisely the one the bans’ champions wave away: conditioning access to lawful speech on the surrender of identity is a serious imposition on adults and children alike, not a mere formality.
It is no accident that the United States, hardly a bastion of light-touch instinct, declined to endorse Britain’s approach when consulted, objecting to one-size-fits-all content rules and “blunt regulatory instruments.”
A government that takes expression seriously cannot simply wall a class of citizens off from a primary medium of modern communication on the strength of “most parents would like us to.”
Letting the platforms off the hook
The most powerful critique of the bans comes not from libertarians or trade lobbyists but from the person with the most painful standing in the entire debate.
Ian Russell, Molly’s father, has spent years campaigning for online safety — and he opposes the ban. His argument is that a blanket prohibition lets the platforms off the hook: it shifts the burden from the companies, who would otherwise be required to make their products safe as a condition of operating, onto a verification gate that the companies are happy to hide behind.
“Bans are the wrong answer to a vital question,” he said, calling Britain’s version a “politically expedient blanket ban” and urging the government instead to strengthen the existing Online Safety Act.
He is right about the incentives. Once the legal duty is “keep under-16s out,” a platform that builds a flimsy age gate and watches kids climb over it has discharged its obligation on paper while changing nothing in practice.
The far harder duty — design feeds that do not push self-harm to vulnerable teenagers, build reporting systems that work, stop recommending strangers to children — gets quietly displaced by the easier one. Industry groups have made the related point, perhaps self-servingly but not wrongly, that blunt restrictions push children toward smaller, unregulated, riskier corners of the internet rather than the comparatively well-resourced safety teams of the major platforms.
And the academics who study this for a living, such as the Oxford Internet Institute’s Victoria Nash, warn that a ban is a “blunt tool” carrying a real opportunity cost: it forecloses the genuine benefits some young people draw from online spaces — peer connection, support communities, access to information — in exchange for protection it cannot reliably deliver.
The politics of looking decisive
None of this would matter so much if the stakes of getting it wrong were low. They are not. Britain’s announcement landed as Starmer faced threats to his leadership after heavy local-election losses, and critics noted the convenient timing of a popular, emotionally resonant crackdown.
When 74 percent of the public backs a measure and nine in ten surveyed parents are in favour, the political path of least resistance is obvious. But popularity is not the same as efficacy, and a government that builds a national identity-verification layer because the polling is good — rather than because the evidence shows it works — has made a decision it will struggle to reverse. The verification infrastructure, unlike the headlines, does not expire. The VPN that a teenager downloads to dodge it, by contrast, takes about ninety seconds to install.
What protecting children would actually look like
To oppose the bans is not to wave away the harms. It is to insist that the remedy match the problem. That means holding platforms to enforceable, audited safety-by-design duties — and fining them, hard, when their algorithms demonstrably push self-harm content to minors, rather than letting an age gate absolve them.
It means resourcing the existing regulatory regimes that the bans are, in effect, an admission of having under-enforced. It means targeting the actual vectors of the worst harm, including private messaging, instead of the politically visible public feed. And it means refusing the false comfort of a policy whose own first test produced a nation of teenagers laughing about how easily they beat it.
Australia’s experiment did not fail because the government lacked resolve or because the technology was not quite ready. It failed because the entire premise — that you can keep determined teenagers off the most engaging products ever built by checking their age at the door — is mistaken, and because the only way to make the door-check work is to build a surveillance apparatus that the rest of us will be living inside long after the moustache trick has been forgotten.
The leaked passports of Discord’s users and the 1,400-percent VPN surge are not teething troubles. They are the policy working exactly as its design dictates: failing to stop the children while succeeding in surveilling, and exposing, the compliant adults.
The next generation of children may indeed grow up with different norms around social media. If they do, it will be because parents, schools and communities changed the culture — not because a verification server somewhere decided they were old enough to speak.
Conclusion
Ms. Stanford’s desire to get moving and her desire not to wait upon the results of similar models has an irony to it. Mark Zuckerberg in the early days of Facebook suggested “move fast and break things” emphasising that in software development speed and innovation outweigh the fear of making mistakes. The idea is to rapidly push prototypes to market, learn from failures, and iterate.
That is an attitude that may have had its day. Modern engineering and product management favour mantras like “Slow is smooth, and smooth is fast” which prioritizes precision, discipline, and coordination to compound advantages over time.
“Launch and iterate” which focusses on constant improvement rather than tolerating breakage. And finally “Move with curiosity and experiment with discipline” — Build sustainable products that maintain user trust.
These approaches have their parallels in legislation – and perhaps the hurrying Ms. Stanford, anxious to get runs on the board, needs to keep them in mind.
So for many of us it comes back to parental modelling and guidance and all the reasons that this is so sadly not part of the equation these days for a multitude of reasons.
"Unintended consequences once an activist judiciary comes into the picture". Indeed.
Thank you for an in-depth overview that the mainstream media can't provide.