Answering the Unasked Question
An Introduction to Digital ID
This is the first part of a five-part series that I shall be publishing over the next couple of weeks. It addresses and attempts to answer an unasked question that is associated with imposing age restrictions on access to internet platforms. Limiting access and whether that is a good idea is one thing. How to do this – what sort of age verification systems will be employed – is entirely another.
In the righteous angst that has accompanied the debate about whether access to social media platforms should be denied to under 16 year olds no consideration has been given to what I term the unasked question. I suggest that the answer to that question would change attitudes to the issue entirely. This series of articles seeks to clarify the issues
Introduction – The Unasked Question
In most of the discussion about the proposed social media restrictions for under-16’s the question posed “Do you support such restrictions” received considerable support. Understandably. Who would encourage access to harmful content online by children. The other aspect is that many parents find it difficult to fulfil their parenting role by saying “no” to their kids and are therefore happy to defer that aspect of parenting to the State.
The problem is that in seeking the approval for the proposal the next question that should be asked goes unasked and unanswered.
And that question is how are you going to put in place a system that verifies that platform users or subscribers are over 16 years old. That same system will produce an “access denied” result for users whose verified age is under 16.
But the verification system is the real issue. And so far it has gone unaddressed.
The reason for that is that the implications are very serious in terms of data acquisition, retention and use.
Let’s pause for a moment and think about what is required. You want to access a social media platform. This involves what I describe as the Privacy\Verification Tradeoff and it introduces a paradox - to prove you are allowed to use something freely, you must surrender freedoms you currently have.
The Privacy\Verification Trade-off
The Starting Scenario
When you first approach a social media platform, your exposure is relatively limited. You choose a username, create a password, and begin using the service. There is a degree of practical anonymity in this — you are, at least on the surface, whoever you choose to be. The platform knows little about you beyond the email address you may have used to register.
The reality beneath this surface is already more complicated. Your IP address travels with every request you make, quietly logging where you are in the world and which internet service provider connects you to it.
Your device leaves its own fingerprints — screen resolution, browser type, installed fonts, system language — a combination so specific it can identify you with surprising reliability even without any formal identification process.
Your anonymity at this stage is real but fragile, protected more by practical inconvenience than by any robust technical barrier. A determined enquirer, armed with legal authority, can already connect your username to your front door.
How Age Verification Changes the Picture
Age verification changes this picture substantially, and it does so by design. The moment a platform asks you to prove you are over sixteen, the informal and retrievable-only-with-effort connection between your online presence and your real-world identity becomes formal, deliberate, and stored.
You are no longer incidentally identifiable — you are explicitly identified, and that identification is recorded.
The first layer of verification data seems reasonable enough. Your real name and address confirm who you are in the world.
A phone number adds a further anchor, tying your account to a physical device registered in your name. Taken together, these details would satisfy many everyday identity checks. But they are not independently verifiable — anyone could type a name and address into a form — and so the system demands more.
The introduction of a passport or driving licence fundamentally changes the nature of what is being collected. These documents do not simply confirm your name and age. They carry your photograph — a biometric identifier that is uniquely and permanently yours.
Unlike a password, which can be changed, or an address, which you might move away from, your face follows you through life. Once it is stored in association with your account, the link between your physical self and your online activity is not merely administrative. It is biological.
By this point, the verification system has assembled something that goes well beyond a simple age check. It holds your name, your address, your phone number, your date of birth, a copy of a government-issued document, and an image of your face.
It knows which platform you wished to access and when you sought access. If the verification was handled by a third-party provider — which it commonly is — that provider holds all of this data independently of the platform itself, creating a second repository of your most sensitive personal information.
The implications of this accumulation extend in several directions simultaneously. Within the platform, your verified identity is now attached to everything you do — every post, every search, every connection you make, every piece of content you linger over. The behavioural profile the platform builds about you is no longer associated with an anonymous username. It is associated with you, specifically and verifiably.
Beyond the platform, the risks multiply further.
Verification providers who service multiple platforms are in a position to observe your activity across all of them, constructing a picture of your online life that no single platform could assemble alone.
Your phone number, used across services for two-factor authentication, becomes a common thread linking accounts you may have deliberately kept separate.
And all of this data, concentrated in one place, becomes a target of considerable value — to advertisers, to data brokers, to hostile state actors, and to ordinary criminals, for whom a database linking real identities to online behaviour, facial images, and contact details represents an exceptionally useful resource.
And conceivably that data can be available to the State and its various departments.
The legal protections that currently guard this information are real, but they are not permanent and they are not uniform. Privacy law varies between jurisdictions, changes with governments, and is subject to exceptions that expand in times of political pressure.
The data, once collected and stored, exists independently of the legal framework that currently protects it. If that framework weakens — or if the data is simply stolen — the protection disappears while the exposure remains.
What emerges from this process, then, is not simply an age verification system. It is a comprehensive identity infrastructure, built on the stated justification of keeping under-sixteens off social media, but with consequences that extend to every adult who passes through it. The verification confirms your age in a moment. The data it generates persists indefinitely, attached to your identity, available to a widening circle of interested parties, and impossible to retrieve once surrendered.
This is the trade-off. Access to a platform you are legally entitled to use, in exchange for a level of personal exposure that would, in any other context, require serious justification.
The above analysis exposes a truth that regulators are only beginning to grapple with: age verification as currently implemented is a surveillance infrastructure that happens to check ages, rather than an age-checking system that happens to be privacy-respecting.
This is a very basic and simplistic description but it does provide a glimpse of an answer to the implications of the unasked and unanswered question.
Let’s take the issue a little further.
Ani O’Brien in her weekly roundup - A week is a long time: 23 May 2026 - makes the following comment (the italics are mine):
The Government has pulled an abrupt turn in its thinking around the proposed under 16 social media ban. I am hearing from multiple sources that officials and ministers have become increasingly nervous after watching the problems surrounding Australia’s approach, which has exposed just how technically difficult and politically risky these bans become once governments are forced to figure out how exactly you verify everyone’s age online.
Attention now appears to be shifting toward emerging European-style models built around much more centralised digital identity and age-verification systems which would create state-backed infrastructure for online identification rather than simply forcing platforms to “ban children”. That is a very different proposition politically and philosophically, because it moves the debate away from child safety alone and into questions about digital privacy, anonymity, surveillance and state control over internet access.
The issue came up during Erica Stanford’s appearance on Q+A last week, where she continued defending the Government’s push for stronger restrictions despite struggling to provide detailed answers around implementation. The central problem to be resolved is that any system robust enough to genuinely prevent under 16s accessing social media inevitably requires some form of age or identity verification for everybody else as well.
It is likely the National sees this kind of operation as a function for the Department of Internal Affairs and with Minister Brooke Van Velden retiring at the election they’ll be wanting someone in that spot to champion the move.
This provides some further insight into the nuance of the unasked unanswered question.
In Part 2 I will discuss the way that the UK is tackling the issue of Digital ID verification.
In Part 3 I will consider the Australian model and the rather patchy difficulties encountered in the model that was initially hailed by Prime Minister Luxon as the model New Zealand should follow.
In Part 4 I will discuss the EU model and the way in which it operates. In many respects, superficially, it provides considerable protection for privacy and security of ID information. But it is important to understand that the EU has developed a system of protections including a very robust data protection system that New Zealand does not possess.
In Part 5 I will conclude by considering how digital ID verification may be implemented in New Zealand and the risks attendant upon that.
It blows me away, to think the Govt may try to rush something thru ahead of the next election, without any mandate.
After all these years, I'm starting to think that perhaps democracy only applies to major issues when it suits the Pollies.
I lost a lot of faith/confidence over Labour's hidden/secret He Puapua agenda, making them the most devious party in NZ's history, IMO
Big Brother, armed with AI, is watching. Intently.