Passa al contenuto principale

Age verification for social media – the beginning of the end for a free internet?

Privacy 

So-called age verification for social media is spreading across the world, framed as an effort to create a safer internet for children. In reality, age verification lays the foundation for a fully government controlled internet.

Countries around the world are moving to introduce online age verification. Part of this involves age verification for harmful content (most often pornography, sometimes video games), but above all it focuses on banning social media for children.

The big tech social media companies are bad. Their business model is bad; it is based on mass surveillance and manipulation, and they cooperate with governments in mapping entire populations. But age verification is fundamentally the wrong approach to preventing children from using big tech social media platforms. Introducing age verification is based on the state being able to force social media companies to verify their users’ identities. But the big tech social media platforms already know which of their users are children. Their business model depends on knowing this. They know how old users are, who their friends are and what ice cream they like. As age verification is based on coercion of the social media platforms, politicians could instead force them to stop doing the things politicians consider harmful to children, or force them to block children (again, they know who they are) from using their services. But instead, politicians seek to massively invade everyone’s privacy and undermine democratic rights on a global scale. In other words, the latter is the real objective – they do not want to protect children; they want to impose control.

And impose it they do. Australia has already introduced a social media age restriction for users under 16. The same applies to Indonesia and Brazil. Age restrictions have been approved but not yet implemented in Denmark, Portugal, and Malaysia. In France, an agreement has been reached, though details are still being discussed. Proposals are on the table in Spain and Turkey. In Germany, the major parties agree on introducing age restrictions, and in Sweden the issue is under investigation. The topic is also being discussed in countries such as the Czech Republic, Greece, Austria, Poland, Canada, Slovenia, and the Netherlands. In April 2026, the European Commission launched an EU age verification app, and one month later Ursula von der Leyen presented plans for EU-wide age restrictions. In the United States, half of all states either have pending legislation or have already introduced laws imposing age restrictions for inappropriate content and/or social media. The number of countries preparing age verification measures is growing rapidly. Updates can be followed on Techpolicy.press.

Most age verification is identity verification

As age verification is currently being rolled out, it is up to individual websites and services to implement it as they see fit. As a result, the quality of age verification measures varies greatly. This became clear in the autumn of 2025, when Discord was hacked, exposing the ID documents of 70,000 users. However, there is one common factor in most age verification systems (Zero-Knowledge Proof being an exception, more on that below): if age verification is introduced, everyone will have to identify themselves either to the service/website they want to use or to a third party capable of linking them to their activity on that service/website. The correct term for age verification as it is implemented today is therefore identity verification. Given today’s internet infrastructure, it is unreasonable to assume that this information will not be shared through commercial agreements or with governments.

The consequence of introducing identity verification is therefore that freedom of information is restricted (you can no longer visit regulated websites anonymously) and that you can no longer post anonymously on social media. You cannot be certain that your criticism of the government will not be followed up by the authorities. You can no longer start a digital initiative on a social media platform aimed at gathering people to criticize an authority without facing a significant risk of consequences. Depending on the country you live in, this could even endanger your life. In its current form, social media identity verification removes important tools for activists in countries where criticizing those in power is dangerous.

Freedom of expression is threatened not only in a direct sense (you post something and then the police knock on your door), identity verification also creates a chilling effect. It becomes a cornerstone of censorship machinery in the sense that people begin to self-censor if they know that expressing opinions may have personal consequences. This is also something that changes over time. What is considered acceptable to post online is determined by whoever currently holds power. Different sides of politics often have different views on what constitutes harmful content. Just because what you post today is not considered inappropriate does not mean it will remain acceptable in the future.

Broad and arbitrary legislation, along with mandatory ID tagging for every post, hardly provides a strong foundation for freedom of expression. Today, 30 people are arrested every day in the United Kingdom for posting something online that authorities classify as “grossly offensive.” In Germany, police conduct raids on people’s homes for insulting politicians online. One infamous example is the so-called “Pimmelgate,” where a person was subject to a police search after calling a German politician a term for male genitalia. In the United States, authorities are trying to pressure tech companies into revealing the identities behind accounts protesting ICE. Another example is when Canada introduced emergency acts during the 2022 trucker protests and then used social media to identify demonstrators and freeze the bank accounts of people who financially supported the protest.

The slippery slope of age verification. VPN next?

Restrictions introduced at the national level can be bypassed by changing one’s geographic location digitally, using tools such as VPNs, virtual phone numbers, eSIM cards, Tor and dedicated services. This has already led politicians in several countries to consider introducing identity verification for VPN services (presumably because VPNs are the most common and accessible method of changing digital location).

In the United Kingdom, the House of Lords sent an amendment in early 2026 (regarding the the Children’s Wellbeing and Schools Bill) to the House of Commons, proposing an 18-year age limit for using VPN services. The House of Commons rejected the House of Lords amendment four separate times. However, the House of Commons instead introduced its own proposal, which was passed and has now become law. This agreement grants the government the power to introduce restrictions through secondary legislation, with only limited parliamentary scrutiny. The government has confirmed that it intends to act on this and introduce some form of social media restriction for children under 16. The government has also hinted that it may consider introducing identity verification for VPN usage, effectively joining countries such as China and Russia in opposing VPN services.

The issue has also been raised in France. As Minister for AI and Digital Affairs Anne Le Hénanff put it: “If [this legislation] allows us to protect a very large majority of children, we will continue. And VPNs are the next topic on my list.” Discussions about VPN restrictions have also occurred in the United States. Utah has gone the furthest by introducing a law making it illegal to circumvent restrictions using a VPN. Within the EU, VPN restrictions have been discussed both under the Going Dark initiative and in discussions related to age verification. In response to a direct question about VPNs as a tool for bypassing age verification, EU Commissioner Henna Virkkunen said in April: “Of course, it's an important part of the next steps also to look at that it [age verification] shouldn't be circumvented.”

If VPN services were to implement identity verification, this would mean collecting data that could be abused through either malice or incompetence. It would, for example, make such services risky for whistleblowers and activists, make it harder for journalists to work with sensitive information, and create a chilling effect on online debate (VPNs can help people post anonymously on social media).

If VPN providers were to impose an age limit on their service, this would also mean that underage users would effectively lose their right to online privacy. Ironically, one consequence would be that social media companies mapping people’s lives through third-party trackers on websites could continue monitoring young people’s online behavior via their IP addresses without any interference. In other words, politicians would remove one of the protections children have against the very companies they claim to want to protect children from.

Identity verification in app stores and at the operating system level

As identity verification is now being introduced globally, different parts of the world are implementing it in different ways. Some countries believe the best solution is to impose controls through major app stores such as Apple’s App Store and Google Play. In Australia, Brazil, South Korea, Singapore, and several US states, Apple has already begun introducing identity verification at the App Store level to restrict access to apps containing adult content.

Identity verification in app stores only regulates access to apps. Therefore, several countries have also begun demanding identity verification at the operating system level itself in order to block access to certain websites directly through the OS. In the United Kingdom, Apple has already introduced this – despite there being no law requiring it (Apple is, however, under general pressure from British authorities). Without warning, Apple implemented identity verification on British iPhones through its system update on March 24, 2026. Suddenly, 35 million British users had to identify themselves using either a credit card or a government-issued ID card in order to avoid restrictions on their phones. Users who did not verify their identity saw their devices enter a mode where Apple’s web content filter and communication safety features were automatically activated, limiting which websites could be visited in Safari or any third-party browser, while messaging services and FaceTime were being monitored for inappropriate content.

When Apple introduced OS-level identity verification in the UK, reports quickly emerged of people bypassing it by creating US-based Apple IDs instead. App store-level identity verification can be circumvented in the same way. And this is how things will continue. The situation will not fundamentally change unless Apple and Google (assuming Google also locks down its system and introduces identity verification) implement these controls in their operating systems globally. But even then, there would still be ways to circumvent restrictions.

Users could, for example, turn to open-source operating systems, which by definition cannot be fully controlled because they are open and modifiable. In such systems, no one else can decide which apps you download or which websites you visit, and no identity verification can be imposed unless you choose it yourself. This points to the final stage for countries seeking total control over their citizens’ use of the internet. National identity verification can be bypassed again and again until authoritarian governments are ultimately forced to ban people from owning devices they control themselves. The only question is how this would be implemented. Well, we will soon find out … In Brazil, a law implemented in March 2026 states that identity verification must be carried out both at the app store level and within the operating system itself (including open-source systems), or companies distributing these services will face fines of up to $10 million. A similar law has passed in California which will require identity verification at the operating system level starting in January 2027. Open-source systems were initially included, but later removed, while web browsers and websites were added to the scope. Similar proposals exist in states such as Colorado and New York. In April 2026, a federal proposal was introduced that would require OS-level identity verification across the United States.

The final destination: state-provided phones and computers for all?

It will be interesting to follow the countries that pursue system-level control as they move further down the slippery slope toward open-source systems. Since open-source systems cannot be controlled, politicians would ultimately need to ban devices that are not controlled by the state. The end point: telescreens like those in Orwell’s 1984, devices that both monitor you and broadcast only the information approved by the state. One can only imagine the methods. Will the police stop and search people on the street looking for unauthorized phones? Prison sentences for buying a non-state computer on the black market? Charges of organized crime for smuggling in containers of open-source software on USB sticks? Welcome to a brave new world.

The Zero-Knowledge Proof alternative and the EU

While the rest of the world is moving forward with identity verification plans, the EU has presented its own privacy-focused approach to age verification. In April 2026, Ursula von der Leyen, President of the European Commission, unveiled an age verification app with “the highest privacy standards in the world” and the presentation materials describe the app as “completely anonymous.”

The EU app is open source, and the EU countries are supposed to use it to create their own versions, and become the issuers of the age credentials that their citizens can then use. This means we may see many different versions of age verification from member states (if they even choose the EU app at all; several countries have already said they prefer to develop their own independent solutions).

At its core, the EU app works like this: you, as the user, provide your identity to an issuer using something like an ID card. The EU envisions member states acting as issuers. The issuer then provides you with a number of credentials that you can use on websites and social media platforms to prove that you are old enough. These credentials only confirm that you meet the age requirement; they do not reveal your identity to the website or platform. Each credential is also used only once. For example, Facebook and X would receive different credentials that they cannot link together, meaning they cannot be used to build a pattern or profile of your internet behavior (and thereby identify who you are). This setup is why – we assume – the EU calls their app completely anonymous. There’s only one little problem. The issuer knows which credentials belong to which person. If you were to post something the state considers inappropriate on some platform, the state could ask the platform for the age credential and easily identify who it belongs to. The consequence is that you cannot post anonymously.

The solution to this problem is so called Zero-Knowledge Proof (ZKP) cryptography. With fully developed ZKP technology, you still need to provide your identity to the issuer, but the issuer would not be able to connect the credentials used on websites and services back to you. Right now, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is currently designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time.

This means that the EU could decide at any time that ZKP may no longer be used, and in one stroke the app would fall back to its default mode, meaning that every post on social media carries an ID tag. By that point, an infrastructure will already have been rolled out; people will have gotten used to it, and it will be harder to roll it back.

Age verification based on Zero-Knowledge Proof technology would be better than full on identity verification. However, even with fully functioning ZKP technology, age verification would still have significant problems. One issue is that people without ID documents would be excluded (determining age through facial recognition, for example, is not sufficiently precise). It would also enable states to revoke “problematic” individuals’ ability to express themselves online by refusing to issue age credentials. Another concerns a more fundamental question: is it really reasonable that young people should be entirely prevented from using social media? Is it desirable that 15-year-olds are completely blocked from expressing themselves on platforms that reach the public? Not all social media platforms are based on collecting data about everyone, manipulating users, and algorithmically steering them in various directions. An illustrative example is that the UK’s Online Safety Act may limit access to Wikipedia. The assumption that age verification would gradually expand and exclude young people from meaningful digital meeting spaces is not far-fetched.

Identity verification for social media – just another “what about the children” excuse to introduce mass surveillance and censorship.

Children’s “safety” has long been used by intelligence agencies and other authorities as a battering ram for introducing mass surveillance, especially in recent years. In the United States, attempts were made under the Kids Online Safety Act (KOSA) to introduce identity verification using children as the justification. The same applies to the UK’s Online Safety Act, where politicians repeatedly test whether they can get scanning of end-to-end encrypted communication approved. In the EU, authorities have tried (hand in hand with American tech companies and intelligence agencies) to introduce total mass surveillance through the scanning of all communication. During 2026, the EU will make another attempt through its Going Dark/ProtectEU project, where the goal is client-side scanning – in other words, government spyware on all devices.

The age verification rush must be slowed down, and politicians who do not want a society in which citizens live under total surveillance need to recognize the consequences of different types of legislation.