Show me your ID to read the internet — the rise of mandatory age verification

Published Jul 02, 2026 by Xiph

For most of the internet’s life, proving your age meant ticking a box that swore you were over 18 and getting on with your day — a formality nobody believed, and not really a checkpoint. That era is closing. Across the United Kingdom, the European Union and now Australia, governments have decided the honour system has to go, and that access to whole categories of the internet should depend on proving who you are: with a document, a card, or your face. The stated target is children and the harmful material they can stumble into. The mechanism is far broader — a requirement that ordinary adults identify themselves to read, watch and post online.

Show me your ID to read the internet — the rise of mandatory age verification

What “age verification” actually means now

The phrase regulators keep using is “highly effective age assurance,” and the operative word is effective. A self-declared birthday no longer counts. In practice they reach for one of a handful of methods: a photo of a passport or licence; “facial age estimation,” where software guesses your age from a selfie; a credit-card check; or a digital-ID wallet that vouches for you. These sit on a spectrum that matters for security: at one end, a check that returns a yes-or-no and stores nothing; at the other, a passport upload that creates a permanent, sensitive record on someone else’s server. Same goal, very different risk — and so far the blunt end is winning.

The UK switched it on — and the backlash was instant

Britain moved first and hardest. From 25 July 2025, the Online Safety Act required platforms to use highly effective age checks before showing pornography or content promoting suicide, self-harm or eating disorders, with social media and search also obliged to shield minors from “harmful” content. The regulator, Ofcom, can levy fines of up to £18 million or 10% of global turnover.

The public response was immediate and loud. A petition to repeal the Act gathered hundreds of thousands of signatures within days — passing 450,000 almost at once, and eventually topping 550,000 — forcing a parliamentary debate. The government’s reply was blunt: it has no plans to repeal the Act. Meanwhile VPN sign-ups exploded, with Proton reporting a more than fourteenfold surge in the hours after enforcement began, and by February 2026 the operator behind Pornhub had simply blocked UK users who hadn’t already verified.

Watch where the requirement travelled. It arrived for pornography, then spread to social media, search, app stores and even the device’s operating system, with Apple prompting UK users to confirm their age or accept content filters. We’ve traced this wider pattern in the surveillance ratchet; age verification is its leading edge.

Australia went further — and got there first on kids

Australia didn’t follow Britain here. On children, we led the world. The Online Safety Amendment (Social Media Minimum Age) Act, passed in late 2024, took effect on 10 December 2025 and bars under-16s from holding accounts on Facebook, Instagram, TikTok, Snapchat, X, Reddit, Threads, Twitch, Kick and YouTube. The onus sits on the platforms, not parents or teenagers — there are no penalties for families, but non-compliant companies face fines of up to A$99 million.

Credit where it’s due: Australia built in real privacy guardrails. No Australian can be compelled to use government ID or the Digital ID system to prove their age, platforms must offer reasonable alternatives, and identity data collected for age checks must be destroyed once it has done its job. Around nine in ten Australian adults support age assurance in principle — yet the same research shows little trust in platforms to handle the data safely.

That instinct looks well-founded. Within hours of the ban going live, teenagers were reportedly bypassing it with VPNs and with age-estimation tools misjudging faces, and the Prime Minister conceded the system would not be perfect — comparing it to alcohol laws that teenagers occasionally evade. And the methods carry a cost of their own: between Meta’s face-scan-or-ID checks and eSafety’s behavioural “signals” for spotting children, keeping kids off a platform means inspecting everyone on it.

The EU’s quieter, smarter version

The EU is pulling the same lever, but with more care for what should worry security teams most. Under Article 28 of the Digital Services Act, large platforms must protect minors, and to help them the Commission has built an age-verification “mini wallet.” Released as a blueprint in July 2025 and declared technically ready in April 2026, it is being piloted across Denmark, France, Greece, Italy and Spain, with Ireland and Cyprus close behind.

What sets it apart is the cryptography. The app uses zero-knowledge proofs — a method that lets you prove you are over 18 without revealing your name, your date of birth or anything else. The platform receives a plain “over 18” token and nothing more. Privacy advocates warn that normalising ID-gating carries risks of its own. But on the narrow question of what data gets stored, the EU model is the one that actually answers it: ideally, nothing.

The part a security professional can’t ignore

The problem age verification creates is plain: it manufactures exactly the data criminals want most. A face, a name, and a government ID, neatly linked — and frequently collected by a third-party vendor you have never heard of.

We don’t have to imagine the consequences. In October 2025, Discord disclosed that attackers had compromised a third-party support provider and exposed roughly 70,000 government-ID photos used for age-related appeals — many of them selfies of users holding their ID up to the camera. The attackers claimed the true haul ran to millions. Discord had been collecting that data partly to satisfy the UK’s new law. A ticked box cannot be stolen. A passport scan can.

Two lessons follow for Australian organisations. The first is that the danger usually lives in the supply chain — it was a vendor that was breached, just as a third-party call centre was the way into Qantas’s customer data. The second is the discipline regulators keep urging: collect less. Australia’s own age-assurance trial flagged providers “over-anticipating” how much data to retain, which only raises the odds of a breach, and the OAIC has put platforms on notice that the Privacy Act applies in full. The safest age check is the one that returns a yes-or-no and keeps nothing at all.

Why this matters in Australia

It is tempting to file age verification under “overseas news.” Don’t. On the kids’ ban we were the test case the world is now studying, and the checks keep spreading into search, app stores and operating systems. The deeper risk isn’t any single rule; the harms these laws target are real, and reasonable people can disagree on each one. The risk is cumulative: once the rails are laid, widening their use costs almost nothing — just a new line in a regulation.

For businesses the message is sharper still. If your service has social features, hosts adult or “harmful” content, or even runs a busy forum, you may soon be collecting identity data to comply — and the moment that store of verified faces and documents exists, it is a liability rather than an asset, with Privacy Act and age-assurance obligations attached.

What you can do now

You can’t repeal a global trend, but you can refuse to be an easy target.

For individuals:

  • Favour checks that store nothing. Where a service offers on-device facial estimation or a zero-knowledge wallet, prefer it to uploading your passport — and think twice before handing a raw ID to a platform that offers nothing better.

  • Harden the device, not just the apps. A hardened handset such as a GrapheneOS phone strips out the tracking an ordinary phone leaks by default.

  • Keep your conversations yours. End-to-end encrypted communications and a physical security key shut down the eavesdropping and account takeover no policy will fix for you.

  • Leave a smaller shadow. Share less, add a private SIM or Faraday pouch if your threat model calls for it, and treat free VPNs with caution — they route your traffic through someone else.

For businesses:

  • Collect less, by design. You can’t be breached out of data you never held. Prefer age-assurance vendors that return a yes-or-no attestation rather than raw IDs, and delete what you don’t need.

  • Know your supply chain. The breach is usually at the vendor. Vet the third parties handling any identity data, and know exactly what they store and for how long.

  • Treat identity data as a liability. The new age-assurance codes and any biometric deployment carry real Privacy Act duties — build for them, don’t hoard against them.

  • Bring in expertise early. A risk audit, system hardening and a virtual CISO cost far less before an incident than after one.

A final word

The promise of age verification is a fleeting yes-or-no: prove it once, privately, and move on. The reality, on the blunt end, is a permanent record — your face and your ID, on a server, waiting. The harms these laws set out to address are real, and the debate over how to balance them is worth having. But the security lesson underneath it is not complicated: you cannot lose what you never stored.

At Xiph Cyber we’ve made this case, and supplied the tools, for years — hardened devices, encrypted communications, security keys, and the consulting to use them well. If you’d like help working out what these obligations mean for your organisation — and how to meet them without making your customers’ identities your next breach — get in touch at enquiries@xiphcyber.com.


Posted in: Security