Papers, please
Few argue under-16s are fine online. The question is why ID checks for everyone is presented as the only solution.
The below is a rework of research I conducted for my coverage of the UK social media ban for Sandmark, which you can read here and find out more about the privacy tech tools that are being built to provide more individual control over data sharing.
It was hot in London, that kind of heat that nudges Londoners out of their houses, spilling out onto the streets to enjoy their brief slice of Euro summer.
Within this backdrop of sun and long evenings, I’d found my way to a party in a converted warehouse in the shadow of the Shard, near London Bridge. A smattering of founders and developers dancing to ABBA’s Gimmie Gimmie Gimmie a man after midnight, providing the soundtrack to my rant on the decline of privacy in the UK.
It had been a week since (now ex) PM Keir Starmer had announced the Labour Party’s intention to extend the Online Safety Act, mandating age verification from spring 2027 to enforce a social media ban for under-16s.
On the surface restricting access to social media for children sounded like a great idea - even I could feel the effects of too much scrolling - but its implications meant a tightening on internet freedom for all citizens of the UK. Once the ban is in place, in order to access social media platforms, every social media user would have to upload identifying information, like passports, to access their accounts.
In 2025 a similar restriction had been implemented for websites with sensitive content, which I went into in a previous newsletter last year. The increasing sophistication of AI used to assist in harnessing already vast amounts of online data was already making those that I spoke to about both AI and privacy tech nervous.
After a day with friends who had already told me, “Take my data! I don’t care” I thought maybe I was overreacting. But, in the warehouse, I had met a consultant who was working with some of the biggest companies in the world with their AI integration. He too, was concerned about the amount of data already online, and how the restrictions might add to it.
But I’ll go into all that and the nuance of the ban in more detail below.
The reasoning behind it
The social media ban is the latest application of a sweeping set of laws titled the Online Safety Act that allows the regulation of online content, making internet service providers responsible for the content shared on their platform. When applied to social media, it means that social media platforms will be responsible for checking the identity documents of their users, in order to allow access.
The ban itself is nuanced because of its positioning as a way to target huge problems with children’s usage of social media and the internet. Honestly, if I had children, I too would be very concerned about what they are exposed to online.
Starmer said in his announcement of the social media ban that it comes as a way to address the declining mental health in children, caused, in part, by heightened social media usage. Many of the reports cited, including a consultation carried out by the government itself in 2026, are quick to highlight that defining causation has been challenging. A report carried out by the House of Commons Science and Technology committee in 2019 stated that it was difficult to determine whether mental health conditions drew children to spending more time online or whether the time itself exacerbated problems. However, a report submitted by Bernardo’s Children’s charity in 2018 found that mental health disorders in children rose from 12% to 27% when using social media for more than 3 hours a day.
A 2026 report by Ofcom cited in the consultation document found that “the impact of social media is nuanced” and “negative impacts are small when averaged across the population” it indicated the features of the platforms made it “harder for children to consume social media in moderation.”
Then there are the problems of bullying and exposure to harmful content. The House of Commons 2019 report noted that social media could amplify existing problems of bullying and grooming while Ofcom’s media use attitudes report of 2026, found that of the 23% of children that reported “nasty or hurtful” behaviour happening to them personally in the past year, it was split between 47% online and 43% face-to-face.
Therefore the ban was deemed necessary by the UK government because the “risk outweighs the benefits.”
But although I’m of course on board with addressing all of these issues, as are all the people I have talked to about the ban, their concern focuses on the implications of such a quick implementation of a blanket ban.
“A ban on under-16s is impossible to implement in a way that only affects under-16s,” said Joe Andrews, CEO of Aztec Labs, a company that develops blockchain backed privacy-centred products. “The only way to keep a teenager off a platform is to check the age of everyone signing up, so a rule aimed at children alone becomes an ID requirement for the whole country.”
Data honeypots
In 2025, the invocation of the Online Safety Act led to implementation of age restrictions on websites with adult content.
This first application brought with it the rumblings of concern from privacy advocates. Citing heightened instances of online hacks of personal data, jumping 79% in the last five years according to the latest Identity Theft Resource Centre report, they reasoned that the uploading of sensitive identifiable data like passports could only do more harm than good.
“Every platform will now require you to hand a passport or a face scan to a verification vendor, and every one of those vendors becomes a honeypot of real IDs waiting to leak,” said Joe.
“We saw it with the Online Safety Act checks last year, we saw it again when a provider connected to Discord leaked tens of thousands of government ID images, and we’ve seen it countless times over the years. Millions of adults take on the real risk, identity theft and fraud, for a measure that determined teenagers could easily route around with a VPN anyway.”
Raido Saar, founder and CEO of digital ID provider, ComplyOnce noted that already criminals had accessed the data of 200 million Pornhub users in December 2025, compiled of email addresses, viewing activity and location.
“This data is not only private, but this is really delicate,” he said. “This data is valuable on the dark web, and is really usable for extortion and quieting your political opponents.”
Historical abuse
The implementation of an age-verified gateway to social media platform brings with it an implication that stretches beyond the potential for extortion that Saar noted could follow data collected by adult websites. Privacy advocates pointed to a number of historical instances where online data collection has already been harnessed for identification, surveillance and influence using legitimate data collection techniques.
The first, highlighted by Aztec’s Joe, was in the release of AOL search logs in 2006. The company released a large excerpt of search queries without related names and email addressed, intended for independent research. However, numbers associated with the accounts related to the searches allowed reporters from The New York times to track down and identify associated users. AOL took down the data, by which time it had been copied throughout the internet.
Search queries were described as “highly personal” and embarrassing in the class action lawsuit following the release. Among the information surfaced were searches related to health concerns, escaping abusive situations, sexual assault and inflicting harm. The company’s release of the data was found in breach of electronic privacy laws and settled in 2013.
The release of the data highlighted the issue of mass data collection online. The risk, he said, is that individuals have no control over the data collected yet carry the cost of it being released to the public. “Your location history gets sold and shows where you live and who you visit,” he said. “The shopping you did gets fed into a pricing model that sets your insurance. A dataset leaks once and follows you for a decade. You can’t reissue your face the way you reissue a card. None of this stems from you having done anything wrong.”
“You can’t reliably anonymise behaviour, and once it’s pooled somewhere it’s one breach from a name. The safest data is the data you never collect.”
The second, cited by Roxana Nasoi of Logos, is in the Facebook Cambridge Analytica scandal of the 2010s. The research firm, Cambridge Analytica, was accused of using personal data connected to 87 million Facebook profiles to psychologically target users and assist the presidential campaigns of Ted Cruz and Donald Trump in 2016. The company was also accused of using the data to assist the influence of Leave.EU’s Brexit campaign although later investigations found no evidence of misuse.
Restricted freedoms
All of this data collection is one thing, but when put into the context of how global internet freedoms are headed, it really makes you think twice about what you want to share online.
Of the 5.5 billion people who have access to the internet, Freedom House’s latest Freedom of the Internet report reads, 81% live in countries where people have been imprisoned due to an online post. Although the US, Canada, the UK and much of Western Europe have kept their status of digitally “free”, increased restrictions imposed by governing administrations have brought their rating close to losing that classification.
The implementation of AI tools has increased governments’ capacities for surveillance. According to the Carnegie Endowment’s AI surveillance index, both America and China have deployed AI surveillance technology around the world. “Liberal democracies are major users of AI surveillance. The index shows that 51% of advanced democracies deploy AI surveillance systems. In contrast, 37% of closed autocratic states, 41% of electoral autocratic/competitive autocratic states, and 41% of electoral democracies/illiberal democracies deploy AI surveillance technology,” the paper stated. “The most important factor determining whether governments will deploy this technology for repressive purposes is the quality of their governance.”
The application of surveillance measures is often dressed up as positive enforcement as a way of increasing methods to catch online criminals. In a recent hearing regarding the Canadian C-22 Lawful Access Bill, a bill that would allow the Canadian government to enforce back doors into digital service providers’ encryption, Canadian Conservative MP, Dane Lloyd, who opposes the bill, stated that “Law enforcement and national security experts have long argued that they do not have the tools to effectively go after terrorists, organized criminals and child predators, who are coordinating a lot of their activity online.”
Similar arguments were made in the implementation of the 2016 Investigatory Powers Act in the United Kingdom, which, it resurfaced last year, allowed the UK government to secretly enforce similar surveillance mechanisms.
This justification is enough for some, who opt instead for “centralization and convenience.” In a world where internet freedom is upheld, what does it matter if the government knows about what someone does online, as long as they aren’t a criminal? However, in the world we live in, where online privacy is in continuous decline, the presumption of “innocence until proven guilty” turns into a presumption of guilt and collection of data to continually prove innocence.
Designing for consent
So now I’ve gone through the pains of outlining all that, and you, taken the time to read it, what then is the solution?
“The real battle should be around protecting consent,” said Roxana. “Privacy is consent to access what makes you who you are [...] the erosion of consent [to internet data] is the erosion of online privacy, which has triggered a decline in internet freedoms over the past 20 years, and has impacted civil society.”
There are technological solutions being built to protect consent to data, which you can read about in more detail in my coverage of this in Sandmark. But, in the words of Doro Unger-Lee, Director of development at Corpus Christi College Cambridge, who organised a roundtable to discuss privacy-preserving technology at the House of Lords in November 2025. “The gap is governance, incentives, and political will.”
Roxana told me about the round table, that there were experts on data ownership, academics, technologists and biometric identity developers, all there to discuss a privacy preserving Digital ID solution.
The implementation of the Online Safety Act restrictions came two months before the UK government announced the roll out of a digital ID scheme that would be made mandatory to prove a right to work. Introduced without a public consultation, the announcement was met with criticism. An eight week consultation period was delayed until March 2026.
Given the government’s latest moves to ban social media without age verification, “some sort of digital ID is kind of inevitable,” she said, as it would make it easier for internet users to verify their age online. While the UK has stated that digital IDs “can offer privacy protection,” little has been released around how they will design the IDs to ensure privacy.
Although the round table to discuss privacy preserving solutions was held in the House of Lords, “None of the Lords attended,” said Roxana Nasoi, spokesperson at Logos, a decentralised community that develops blockchain based privacy technology. “The Baroness [Manzila Uddin] who was chairing was completely overwhelmed because it was highly technical.”
In a research briefing published in March, the government highlighted that the ID would be built “in house” leaving little room for iteration, however, it seems like there’s little interest or understanding in making sure privacy protection will be a feature.
“It’s going to open up so many issues. Maybe some of them we haven’t even grasped yet,” Roxana told me.
And yes, this is about the UK, but as Roxana told me later, things passed by the UK are likely to have knock on effects on how the same problems are treated in other jurisdictions.
Directions of travel
Walking home from the warehouse that hot night, ABBA still ringing in my ears, I still thought - am I overreacting? The friends who told me they were happy to wave away their data have a point, there is a real ease in letting the platforms and the government handle the admin of proving who you are in order to access what you want online. For most people, most of the time, for now, nothing bad comes of it at all.
But it’s about the direction of travel that has me worried. Everyone agrees that the stated goal of the current ban is a good one, something that should be addressed. However, the children it claims to shield are the ones who will inherit a country where access to information online is dependent on who you are.
A House of Lords round table filled with experts to discuss how you protect individual rights while you do it, and not one of the people meant to build and govern the system itself bothering to turn up, tells you roughly how much of the governments’ thought is going into what this means further down the line.




The idea is to punish people for wrongthink under the guise of holding people accountable for their actions and protecting children. In Mexico, you now need to register your phone numbers and undergo ID verification. The same will happen for anyone seeking Wi-Fi passwords. I mean, hey, you need an ID to sign up for electricity and water services, so why should the internet be any different? That's going to be the so-called logic presented.