Social Media Ban for Under 16s, The Cyber Risk and Expert Consensus the Government Won't Acknowledge

On 15 June 2026, Prime Minister Keir Starmer and Technology Secretary Liz Kendall announced that social media platforms will be legally barred from offering services to children under 16 in the UK. The plans, described by the government as going "further than any other country in the world", follow Australia's legislative model and are expected to be brought to Parliament before Christmas, with protections potentially in force by spring 2027.

More than 116,000 responses were submitted to the national consultation that preceded today's announcement. Nine in ten parents said they backed a ban. Two thirds of young people agreed that under 16s should not be allowed to use at least some social media platforms. Politically, the ground was well prepared.

The harm the government is responding to is real. Algorithmic feeds on social media platforms can intensify children's exposure to dangerous or distressing material. Real time content is harder to moderate. The government's own data and the responses it received from families make clear that many parents feel they have lost control of what their children access online, and when.

But the scale of the announcement does not make the mechanism sound. And there are two significant problems with this policy that are not being addressed in today's press release.

A ban on under 16s using social media is only as effective as the system used to verify ages. The government has acknowledged this, tasking Ofcom with studying what constitutes "highly effective age assurance." What it has not done is explain honestly what effective age assurance actually requires, or what it costs in terms of privacy and security.

Age verification at scale means collecting identity signals. In practice, that means some combination of official documentation, passports, driving licences, biometric data such as facial analysis or age estimation, or linked financial records. None of those data types are trivial. They are among the most sensitive categories of personal information that exists. And under this policy, they would need to be processed, held, or transmitted by private companies operating under government mandate.

A High Value Target for Hackers and Foreign States

The UK's cyber attack surface is not a theoretical concept. It is made up of every database, every system, every contractor holding information that people have been required to provide in order to access services. The government is proposing to create a new one, a mandatory identity and age verification infrastructure covering every child and adult in the country who wishes to use social media or other in scope platforms.

That is an extraordinarily high value dataset. A database linking the identities, biometric records, and online behaviour of millions of UK residents is precisely the kind of asset that hostile states and criminal organisations target. We know this from experience, not theory. The NHS has been hit by multiple ransomware attacks in recent years. The Electoral Commission disclosed in 2023 that a breach had exposed data relating to approximately 40 million people. The Police Service of Northern Ireland accidentally published the personal details of every serving officer. These are not edge cases, they reflect a structural problem in how large centralised datasets are managed and protected in this country.

The risk is not confined to large public institutions. In October 2025, Discord disclosed that official ID photos belonging to approximately 70,000 users had potentially been leaked following a cyber attack not on Discord itself, but on the third party company it had contracted to verify user ages. The hackers obtained passport scans and other identity documents that people had submitted for the sole purpose of proving their age on a platform. Information like official ID numbers is, as the BBC reported at the time, "especially valuable because, unlike credit card details, it typically remains unchanged over time." Discord is a single platform. The government is proposing mandatory age verification across an entire category of the internet.

The government has already signalled it is aware of the tension. Its announcement explicitly states that age assurance measures must work "without threatening privacy." But that instruction is in direct conflict with what effective age verification actually requires. You cannot verify identity at scale without processing identity data. The government has not resolved this contradiction, it has simply stated that it expects both things to be true simultaneously.

What Experts Have Actually Been Saying

The government says it has listened to parents, children, and experts. It held one of the largest national consultations in recent memory. But there is a persistent gap between the evidence from child safety research and the policy response that has been chosen.

UNICEF has stated plainly that "age restrictions alone won't keep children safe online," warning that bans without accompanying education and parental support risk pushing children toward less regulated spaces. The Lancet's Public Health journal published research this year examining the relationship between social media restrictions and adolescent wellbeing, noting that the evidence base for blanket bans remains limited and that the effectiveness of restrictions depends heavily on whether they are accompanied by wider digital literacy investment. Academic research published in the journal Child and Adolescent Mental Health similarly found that parental engagement and education consistently outperform technical controls as protective factors.

The DISA research network, reviewing the emerging literature on social media bans, identified a recurring concern, that restrictions without education can reduce children's exposure to a known platform while driving them toward less monitored alternatives. The argument is not that children should have unrestricted access to social media. It is that restriction alone, without the tools to understand why and to navigate risk, leaves the underlying vulnerability intact.

The Dark Web Displacement Effect

There is a pattern that has emerged wherever heavy handed internet regulation has been introduced without addressing the underlying demand. People, children and adults do not simply stop accessing content when a platform is blocked. They find another route.

For privacy conscious users, or those who simply refuse to hand over official documentation and biometric data to private companies, that route increasingly runs through VPNs, Tor, and the wider anonymised web. The irony of the government's approach is that it creates exactly the conditions that push cautious, privacy aware users deeper into unregulated spaces. Someone who declines to submit a passport scan to an age verification provider, a perfectly reasonable position, given the UK's recent record on data security, may find themselves unable to access mainstream platforms and instead navigating services with no moderation, no safety infrastructure, and no accountability.

For children specifically, this displacement risk is not hypothetical. Research has repeatedly shown that determined young people can and do circumvent platform level restrictions. The technical barrier to accessing content via a VPN or an unverified secondary account is low. What regulation does, in those cases, is not block access, it removes the regulated safety infrastructure from around the access that continues anyway.

Parental Responsibility and the Missing Conversation

One of the most striking absences from today's announcement is any substantive discussion of parental education. The government frames this as giving "power back to parents" but the policy it has chosen does the opposite. It transfers responsibility for managing children's online lives to platforms, regulators, and private verification companies, while leaving parents with no better understanding of how to talk to their children about the online world than they had before.

Child safety specialists have consistently argued that the most durable protection for children online is a parent who understands the risks and can discuss them. That requires investment in education for parents as much as children. It requires school curricula that treat digital literacy as seriously as reading and maths. It requires accessible guidance for families, not press releases about banning platforms.

None of that is incompatible with proportionate technical safeguards. But the balance of today's announcement is heavily weighted toward restriction and enforcement, with very little acknowledgement that the same outcome might be better achieved and more durably through a different approach.