Protecting Children, or Identifying You?
How age verification laws in Australia, the UK and the EU are building an internet where EVERYONE will have to prove who they are, and what you can do about it.
4.7 million.
That’s how many social media accounts the Australian government claims to have deactivated, removed or restricted since its under-16 social media ban took effect in December 2025. And publicly, the government are calling this a win.
Except the eSafety Commissioner’s own compliance report, published months later, found no discernible drop in complaints involving under-16 users. Kids are still on these platforms, using facial-estimation loopholes and re-verification tricks that let them “correct” their declared age upward and bypass restrictions.
So the ban hasn’t banned much at all. What it has done is build the infrastructure to verify users’ ages and, by extension, the identities of every single person who wants to use a major social media platform. And amongst Australian adults, this potentially affects 87% of the entire population.
This is happening across the English-speaking and European world right now. What is being built right now is not just a means to ‘protect children’ from harmful online content. Keep in mind that once an identity layer like this exists, it rarely stays confined to its original purpose.
In this article I cover:
What’s being legislated in Australia, the UK and the EU, and how it all converges on one outcome
The real mechanism behind every age check
Who ends up paying the price for these laws
The slippery-slope parallel to financial surveillance, and why “it’s just for child safety” rarely stays that way
Why even China, with total control of its internet, can’t win the VPN game, and what that means for the UK and EU
A practical toolkit: decentralized VPNs, self-hosting, and concrete steps to keep your identity off the grid
What is being legislated?
Australia moved first. Since 10 December 2025, platforms including Facebook, Instagram, TikTok, Snapchat, YouTube, Substack, Threads, X, Twitch, Kick and Reddit have been required to take “reasonable steps” to prevent under-16s from holding accounts.
The eSafety Commissioner has pushed platforms toward a “waterfall” approach to age checks, layering multiple verification methods rather than relying on users simply ticking a box. Platforms can’t ask for government ID directly, but they have free rein on facial scanning, behavioral tracking and third-party verification services to fulfill the age requirements.
Five major platforms are currently under investigation for non-compliance, with enforcement decisions expected by mid-2026.
The UK has gone further. The Online Safety Act already requires age verification for adult content, enforced by Ofcom with real financial penalties attached. On 15 June 2026, the government announced a parallel ban on social media for under-16s, with full enactment expected by spring 2027.
More notable is what the House of Lords voted through in January: an amendment requiring VPN providers to verify the age of every UK user, blocking anyone under 18, alongside mandatory “tamper-proof” scanning software on every smartphone and tablet sold in the country. Those amendments still need to clear the Commons, but the direction of travel is clear.
The EU is building something more structural. The Digital Services Act already requires large platforms to protect minors, and the European Commission has been racing to roll out an age verification app, sometimes called the “mini-wallet,” ahead of its full European Digital Identity Wallet, due by the end of 2026.
France, Italy, Spain, Denmark and Greece are piloting it now, often folded directly into national digital ID apps people already use for tax and government services. The long-term plan is full cross-border interoperability: one verified digital identity, recognized everywhere in the EU, that confirms your age without (in theory) revealing anything else about you.
Three different countries, three different legal mechanisms, all converging on the same outcome: an internet where your identity is checked before you’re allowed to participate.
What’s the problem with age verification?
The age check itself isn’t really the problem. Restricting children's and teenagers’ unfettered access to social media isn’t the problem either. Few people would argue that excessive social media use is beneficial for developing minds. To be very clear, this is not about protecting children's ‘freedoms’ to access any and all online content.
The problem is what an age check requires underneath it, and what the implications of these checks are for the entire population.
To reliably determine whether someone is over or under 16, a platform needs to tie an account to a verified real-world identity at least once. That single act of verification is the entire point.
It doesn’t matter how privacy-preserving the technology claims to be. Once a system exists that can confirm “this account belongs to a real, identified adult,” that capability doesn’t just disappear after the age check. It remains available for whatever the platform or the government behind it decides to use it for next.
A few specific verification mechanisms that are either proposed or already in use:
Identity-to-profile linkage. Facial scans, document uploads, and third-party verification services like Yoti all create a record, somewhere, connecting a real person to an online account. Even with “zero-knowledge proof” designs that claim not to store the underlying data, the verification event itself and who performed it still occurred. As users, we are expected to just trust that it will not be logged, retained, or subpoenaed later.
Device-level checks. The UK’s proposed mandatory scanning software on every phone and tablet sold in the country is the clearest example. This isn’t age-gating just one app - it’s building the capability into the hardware layer itself. It affects what your device is permitted to do, full stop.
VPN targeting. VPNs have been the obvious workaround to every age verification scheme since they started, and lawmakers know it. The UK’s proposed requirement that VPN providers verify the age of all users is a direct attempt to close that gap. Once a government can compel a privacy tool whose entire purpose is preventing this kind of tracking to identify its users, the tool has already been hollowed out from the inside.
Centralized digital ID as the backbone. The EU’s approach is the most open about where this is heading. They aren’t pretending the age verification app is a standalone tool. It’s explicitly built on the same technical foundation as the EU Digital Identity Wallet, the thing meant to eventually hold your tax records, your driving licence and your medical credentials, all in one verified, government-recognized identity layer.
Age verification isn’t the destination. It’s the on-ramp.
You may also like…
Bitcoin Node + Sparrow Wallet = Better Privacy
If you were anything like me when you first started accumulating Bitcoin, you probably imagined it like a bank account - you’d buy some Bitcoin and send it to the Bitcoin address on your hardware wallet.
Who will be caught in this?
Let’s start with the people these laws are supposedly meant to protect. Under-16s aren’t being kept off these platforms; they’re finding loopholes, including using older siblings’ or parents’ verified identities, gaming facial-estimation tools, or switching to platforms that haven’t yet been designated “age-restricted.”
Australia’s own regulator admits this. The harm signals haven’t dropped. What’s changed is that everyone above them is now also expected to prove their identity to use the same services.
Adults who have never had any reason to be tracked, profiled, or identity-checked online are now being routed through facial scans and ID uploads to do completely ordinary things: scroll a feed, message a friend, or watch a video.
The justification doesn’t apply to a 45-year-old, but the infrastructure doesn’t distinguish. And that’s the whole design.
And once that infrastructure exists, it has a track record of expanding well past its original brief. Financial surveillance went through exactly this arc. CARF, DAC8, and the US’s 1099-DA reporting requirements weren’t introduced as general financial tracking tools; they were framed as closing tax compliance gaps.
Each step was narrow and reasonable on its own. The cumulative effect, a few years later, is a level of financial visibility that would have been unthinkable to propose directly.
Age verification follows the same pattern. Nobody is introducing a single bill that would make “mandatory digital ID to use the internet,” because that wouldn’t pass. Instead, it is built in parts: an age check here, a device scan there, a VPN restriction after that.
Each part is justified individually. And each one, on its own, sounds reasonable. Put together, you get a different internet than the one that existed five years ago, and almost nobody voted directly for that outcome.
And there is another issue at stake here: it is not the state’s job to decide how parents raise their children. Parents should be entirely capable of deciding what their own kids see and do online, without a national identity infrastructure built around it.
And the moral authority being claimed here, that the state is stepping in purely to protect children, requires some serious scrutiny, given their track record. For example, in 2020 and 2022, governments worldwide made sweeping decisions affecting children’s lives with essentially no parental input.
Schools were closed for extended periods. Kids were kept from friends and extended family for months at a stretch. Masks were mandated for children with no proven health benefit to justify it. And many of the same governments pushed children into experimental injection programs despite known risks, both known (myocarditis) and unknown.
Whatever you believe about whether any of that was justified, it was the state making the call - over the heads of parents - with minimal debate and no accountability afterward.
That’s the same institution that is now positioning itself as the protector of children online. Forgive my skepticism.
China and the Great Firewall
China is the poster child for internet restrictions and is cited every time this debate comes up - and for good reason. China has spent many years building a fully ring-fenced internet.
Real-name registration is mandatory, the Great Firewall blocks foreign platforms outright, and the state controls the infrastructure end to end, from the cables to the apps to the identity systems sitting on top of them.
The UK, the EU, and Australia are not in the same position. They don’t own the infrastructure. The platforms people actually use, Meta, Google, TikTok, Apple, are foreign companies, and these governments have to legislate compliance out of them rather than build a state-controlled alternative.
That’s a fundamentally weaker position, relying on fines, public pressure and regulatory escalation against companies that can, in theory, simply deprioritize a market if the compliance burden gets bad enough.
And to assume these systems will work as intended is to give these governments a very big benefit of the doubt: even China, with total infrastructure control, cannot fully win this game. VPN use is illegal for unlicensed providers, and yet VPNs remain widely used. The Chinese government is in a continuous arms race with resourceful ‘netizens’ who find new ways to bypass restrictions.
It’s a permanent game of whack-a-mole, blocking known IP ranges only for providers to rotate to new ones, going on for over a decade with no resolution.
The reason is simple, and it applies just as much to the UK or the EU as it does to China. IP address blocklisting, the blunt tool every government reaches for, doesn’t work well against a determined provider or equally determined users.
VPN companies rotate exit node IPs constantly, and many use obfuscation protocols specifically designed to make VPN traffic indistinguishable from ordinary encrypted web traffic, so a censor can’t even reliably tell a VPN connection is happening.
Beyond that, there are entire categories of tools that don’t depend on a single company anyone can legislate against. Decentralized VPN networks, where exit nodes are run by thousands of independent individuals rather than a single corporate server farm, exist precisely because they remove the single point of failure that a government would need to target.
Tor and I2P route traffic through volunteer-run relay networks with no central operator. And for anyone with modest technical comfort, setting up a personal VPN server using something like WireGuard or Outline on a cheap cloud server takes an afternoon, with a unique IP that has no public association to any “VPN provider,” making it functionally invisible to a blocklist built around known commercial services.
If China, with a sovereign internet stack it built from scratch, can’t close this gap after more than a decade of trying, the idea that the UK or EU will succeed by leaning on foreign tech companies and IP blocklists is optimistic at best.
What they will succeed at is getting ordinary, non-technical adults to identify themselves and use ordinary platforms. The people determined to get around it, including the under-16s these laws are nominally about, will mostly find a way.
The compliance burden falls mostly on the people who were never the purported target.
What you can do to protect yourself
You don’t need to wait until you’re forced into a fully identified internet to start reducing your exposure. A few practical steps you can take:
Separate your identity from your accounts where you still can. Use different emails and usernames across platforms rather than one identity stitched across everything. Tools like Proton Mail allow you to use aliases so you don’t have everything connected to a single address.
Look at decentralized VPN options now, before you need them. Networks like Mysterium or Sentinel route traffic through independently run nodes, making them structurally harder to legislate against than a traditional VPN provider.
Consider self-hosting. Running your own VPN server via WireGuard or Outline on a low-cost cloud VPS gives you an exit point that isn’t on anyone’s commercial blocklist. This is a good option for those with more technical savviness.
Minimize centralized accounts tied to verified ID. Where a service doesn’t strictly need to know who you are, don’t give it the option to find out.
Pay attention to the organizations tracking this in detail. Groups like the Open Rights Group, Big Brother Watch and the EFF follow these bills clause by clause, and are often first to flag when a “child safety” provision quietly expands scope.
Diversify the platforms and identity systems you depend on. The more of your digital life that runs through a single verified identity, the more leverage that system has over you if it’s ever misused, breached, or expanded beyond its original purpose.
Use a privacy phone with an open-source OS like GrapheneOS installed on a Google Pixel phone. GrapheneOS is a hardened, open-source Android build that strips out Google's surveillance layer entirely, no telemetry, no ad IDs, no vendor backend access, while adding stronger sandboxing, granular permissions and hardware-backed verified boot.
None of this requires hiding anything. It simply means not handing over identity infrastructure to systems that have repeatedly shown scope creep, and an inability to adequately protect private data from hacks and breaches.
You may also like…
⛔️ FINANCIAL DISCLAIMER: This content is for informational and entertainment purposes only and should not be considered financial, investment, or legal advice. I am not a licensed financial advisor, accountant, or investment professional. The information shared in this post reflects my personal opinions and is based on publicly available data at the time of writing. All investment decisions—especially those involving Bitcoin or other digital assets—carry risk and should be made only after conducting your own due diligence and consulting with a qualified financial advisor. Never invest more than you can afford to lose. My views are my own and do not reflect those of any of my affiliate partners or sponsors.





