Two dates. Sit with them for a second.
On 15 June 2026 the Prime Minister announced the biggest piece of UK tech policy in years: a flat ban on social media for anyone under 16.
On 22 June 2026, seven days later, that same Prime Minister, Keir Starmer, resigned.
So the coverage has gone where coverage always goes. The leadership race, the likely successor, the seventh prime minister in ten years. What almost nobody is writing about is the thing the policy quietly asks the country to build. I want to write about that.
Where I'm coming from
As an AI educator, I'm not anti-safeguarding. I've made the case in print, in a published Q&A on AI in classrooms, that the job is to set ethical boundaries that still let kids learn. Keeping children safer online is a real goal and I take it seriously.
None of what follows is an argument with that goal. It's an argument with the method we've grabbed to reach it, because the method builds something no one would sign up for if you described it plainly.
What the Online Safety Act actually is
People tend to picture the Online Safety Act as a narrow rule aimed at a few nasty corners of the web. It isn't. It passed in 2023, and it reaches most of how we talk to each other online.
It bites mainly on three things: user-to-user (U2U) services, search engines, and adult sites. Put simply, if a service lets people post, upload, generate, or talk to one another, it's almost certainly in scope. Social media, so X, Instagram, TikTok, Facebook. Messaging, including WhatsApp, Signal, Messenger and iMessage. Forums and communities like Reddit and Quora, down to small independent boards. Video and file-sharing, so YouTube, Dropbox, Google Drive. Gaming and dating too: PlayStation Network, Twitch chat, Tinder. And the search engines on top, Google, Bing, Yahoo.
It doesn't matter where the company is based. A US platform is caught the moment it has a meaningful number of UK users. The heaviest duties, the proactive scanning where AI is set loose to hunt for illegal content, land on the big "Category 1" and "Category 2" services.
What's left out is a short list: read-only sites like news pages without comments, corporate pages and static blogs, plus plain email, SMS, one-to-one calls, and internal business networks.
Keep that scope in mind, because it matters. This isn't a rule about the fringe of the internet. It's the plumbing of most of it.
The escalation
The under-16 ban bolts one more demand onto all of that. Platforms have to keep under-16s out of TikTok, Instagram, YouTube, Snapchat, Facebook and X, and the penalty for failing is a fine of up to 10% of global revenue. The legislation is expected before the end of 2026, with enforcement around spring 2027.
And here's the bit that mostly goes unsaid. You can't confirm that the few users are under 16 without checking everyone. To prove a single user is over the line, the platform has to verify age, either by uploading a government ID, which leaves a centralised identity record, or by an AI scan of your face. As the cybersecurity researcher Alan Woodward put it, it "means age-verifying all of us."
The ban points at children. The verification falls on every adult in the country.
The vault we didn't ask for
Picture someone pitching this to your face. To keep teenagers off a handful of apps, we're going to build a vault holding a face scan or an ID document for every adult in Britain. And we're going to keep it.
You'd never agree. It's wildly out of proportion to the problem. But that vault is exactly what the mechanism needs, and vaults get robbed. We've already watched it happen. Discord leaked more than 70,000 user photos. The women's safety app Tea had users' IDs and faces dumped onto 4chan. As Big Brother Watch put it, "No one in a democracy should need to show their passport just to get online." And nobody can promise the platforms will even delete the sensitive stuff once they've collected it.
So we're trying to fix a children's problem by building a permanent, nationwide honeypot. The kids we're worried about are a sliver of the population. The surveillance covers all of us. It's a doorman who fingerprints the whole street to catch the handful who shouldn't be inside, then keeps every print on file forever.
Why AI is what makes the vault dangerous
A vault of ID documents is bad enough on its own. A vault of ID documents in an age of capable AI is a different animal, and this is the part the debate keeps skating over.
The danger takes two ingredients, and this policy hands over both. Mass identity data, and AI that can actually do something with it. On their own, each is a manageable risk. Put them together and you've got a profiling engine.
Start with the verification itself. One of the two approved methods is AI facial age estimation. That means the system isn't just checking a number, it's taking your face and running it through a model. We aren't compiling a list of birthdays here. We're feeding the whole adult population's biometrics into AI systems, on purpose, as the design.
Then think about what the AI does with that once it's sitting there. You can change a leaked password. You cannot change a leaked face. Facial recognition lets one image get matched against CCTV, against other breached databases, against photos scraped off the open web, so a single verification selfie becomes a key that ties your real name to everything you've ever done online. The Act is already nudging the biggest platforms to scan content with AI, and the moment you bolt a verified, real-world identity onto that behavioural data, the AI stops looking at anonymous accounts and starts assembling a named profile of an actual person: what you read, who you talk to, when, and from where. A human analyst could profile a few people. AI does sixty million at once, cheaply, around the clock. The old limit on surveillance was how many people you could pay to do it. That limit is mostly gone.
The short version: the ID data makes you identifiable, and the AI makes you legible. Before this generation of AI, a leaked ID database was mainly a fraud headache. Now it's the raw material for profiling at the scale of a whole country, and unlike a password it never expires, because you can't reissue your face.
Which is why "they'll only ever use it to check ages" misses the point. The threat was never the age check. It's that we're quietly stockpiling the one thing modern AI needs, verified biometric identity data for a nation, to turn ordinary conversation into a searchable map.
And it never stays for one purpose
We're told the data only ever gets used for age-checking. History disagrees. "Once you put the technology in place," Woodward warns, "time and again we have seen it being abused by governments, you get this scope creep."
Think of a lock sold to you as an age check, except the locksmith keeps a spare key. The lock does the job on the tin. But the person holding the spare gets to decide, later and quietly, what else it opens. That isn't a slippery-slope what-if. It's what identity infrastructure has done pretty much everywhere it's been built.
And it may not even protect a single child
Here's what really ought to stop the argument: there's barely any evidence it works.
Australia tried it first. Its under-16 ban is already live, and in March 2026 the e-Safety Commissioner put out the first compliance report. The verdict was blunt. Plenty of under-16s still had accounts, were still opening new ones, and were still walking straight through the platforms' age-assurance checks. The regulator warned of major gaps and is weighing legal action against Facebook, Instagram, TikTok, Snapchat and YouTube. And the main reason kids were still online wasn't some clever workaround. It was that platforms often didn't bother asking, and when they did, the age-estimation AI got it wrong.
Now stack the UK's enforcement choice on top. The legal liability rests entirely with the platforms. Ofcom goes after the companies, not families. A child who slips past the ban has broken no law. A parent who lets them face no penalty. The whole machine is built to fine Meta, not to police the living room, which means the determined teenager the policy is literally named after is the one person it can't actually stop.
So look at what each side walks away with. The children get a barrier Australia has already shown they step around. Everyone else gets a permanent, AI-readable record of their face and their ID. We trade away the digital privacy of the entire adult population, and in exchange we get a child-protection scheme that the only country to try it is currently struggling to make work. We lose our privacy for nothing.
Why the timing matters
Now put those two dates back together.
A surveillance system this big was announced on 15 June. The one person with the authority to defend it, fix it, or answer for it walked out on 22 June. His likely replacement doesn't take office until mid-July, and the legislation is still months away from being written.
So the most invasive data-collection mandate in modern British history is about to drift through a leadership vacuum, started by one government and handed to another, while the press is busy counting prime ministers. The window for proper scrutiny is closing at the exact moment scrutiny matters most.
A policy that ID-checks the entire internet deserves a real fight. It isn't getting one. It's getting a news cycle about a resignation.
The point
You can want children protected and still refuse to accept that the only way to do it is to register every adult's face in a database that will, sooner or later, leak or get repurposed. Those are two different decisions. Treating them as one is exactly how bad infrastructure gets built: quietly, in the middle of a distraction, dressed up as something no decent person could object to.
So ask the harder question the headlines are skipping. Not "should we protect children," because yes, obviously. Ask what we're actually building to do it, who ends up holding the keys, and what happens to that vault now that the government which promised to guard it has already walked out the door.
The more the world runs on data, the more it needs people who run on care.
— Victor Osondu, Founder, AI Tutorium
Sources: GOV.UK fact sheet on new rules to protect children online · GOV.UK — ban announcement · TechPolicy.Press — surveillance analysis · The Conversation — what parents need to know (enforcement & liability) · TechTimes — privacy cost · CNN — Starmer resignation · NPR — Starmer resignation