Experts warn the social media ID scheme risks creating a state surveillance hub.
The goal is straightforward enough: keep children under 16 off social media. The method being pursued is anything but. New Zealand is quietly constructing a digital identity regime that would require every adult in the country to prove who they are before accessing platforms most people use every day. In doing so, it risks building one of the most powerful surveillance architectures in the country’s history – and handing control of it to exactly the wrong organisation.
Punishing adults to protect children
Privacy Commissioner Michael Webster has put the core contradiction plainly. Any system that stops children accessing social media must first verify that every other user is not a child. Protecting the young requires surveilling everyone else. This is not a design flaw that smarter engineering can fix. It is baked into the very logic of age-gating.
New Zealand’s approach draws on the European Union’s model, which uses zero-knowledge proof architecture – a cryptographic method where a user’s age can be confirmed without any identity information passing to the platform itself. In Europe, this works because it rests on a distributed network of 27 national identity systems, each independently regulated under the General Data Protection Regulation (GDPR), with no single authority holding the keys to the whole edifice.
In New Zealand, all roads lead to one place – the Department of Internal Affairs (DIA).
One department, too much power
The DIA already sits at the centre of New Zealand’s identity infrastructure. Every passport. Every citizenship record. The biometric data of millions. Now add what is being proposed: the same department would manage the digital wallet carrying age verification credentials, operate the Trust Framework governing accredited identity providers, and house the Digital Safety and Identity Investigations unit – a team combining digital child exploitation enforcement, violent extremism monitoring, content classification and anti-spam operations under one roof.
This structure did not emerge from careful constitutional thinking. It is the result of functions accumulating in one place over time, without anyone asking whether that accumulation was wise. The EU’s designers asked that question explicitly and distributed these powers deliberately across independent institutions. New Zealand’s emerging model does the opposite, then proposes to expand it further.
The DIA is not an appropriate vehicle for this. Concentrating identity management, content regulation and online access control in a single agency, accountable to a single minister, creates exactly the kind of unchecked institutional power that robust democratic systems are designed to prevent.
Yet in the Budget delivered on 28 May the DIA was allocated $30.75 million over the next four years to develop policy and possible regulatory options to improve children’s online safety.
The trust framework was never built for this
The Digital Identity Services Trust Framework Act 2023 is being positioned as the legal vehicle for delivering age verification. It accredits identity providers, sets privacy and security standards, and underpins the Government Digital Wallet. On paper, the fit seems clean.
It isn’t. The Trust Framework was designed as a voluntary scheme – a consumer confidence mark that organisations could choose to adopt. Transforming it into the mandatory gateway to everyday online communication requires different legislative authority and different accountability structures than currently exist.
The body that accredits providers under the Trust Framework and the department building the age verification infrastructure are the same organisation. Whatever the formal statutory distinctions, the practical independence is illusory.
There is also a blunt practical problem. The framework currently works for adults with New Zealand passports or driver licences. Fifteen-year-olds have neither. The very population the system is designed to identify sits largely outside the credentials the system knows how to process.
Infrastructure outlasts intentions
A verification system that can confirm whether someone is old enough to use Instagram is, technically, a system that can log who is accessing any online service, at what time, from where.
The infrastructure does not forget. Even if today’s legislators intend nothing beyond age-gating social media, the capability they create will exist long after they leave office, available to future administrators with different priorities.
The EU constrains this risk through the GDPR, constitutional privacy protections enforceable in court, and a political culture shaped by living memory of what states do with unchecked surveillance capacity.
New Zealand has the Privacy Act 2020 and the Biometric Processing Privacy Code 2025 – meaningful instruments but not designed for mandatory universal identity verification as a condition of online access. Rules governing how data is handled are not the same as architecture that prevents dangerous concentrations of data from forming in the first place.
If the DIA becomes the central node through which online identity is verified, and that function becomes interlinked with the department’s existing biometric databases, the result is a target of extraordinary value to criminal networks and hostile state actors.
A breach would not merely expose names and addresses. It would reveal which platforms each New Zealander uses, when, and patterns of behaviour stretching back years. That is the predictable consequence of the architecture being built.
Who gets left behind
The EU’s model works partly because digital identity infrastructure across Europe is mature and near-universal. New Zealand’s is not. A system that functions smoothly for a connected urban professional with a current passport creates real barriers for people without those advantages – recent migrants, rural and low-income households, and Māori and Pasifika communities carrying legitimate historical grievances about government data collection. Equity cannot be an afterthought in a mandatory system.
Wrong answer to a real question
Some 71% of New Zealanders worry about social media’s effects on children, and the evidence for those concerns is substantial. The question is not whether to act. It is whether this action, structured this way, is safe.
The honest answer is that it is not. Importing the EU’s technical model without the institutional architecture that makes it trustworthy means accepting the surveillance risk without the privacy guarantees.
The EU’s protections are not primarily technological – they are organisational and legal: independent regulators with real authority, constitutional rights with real teeth, and a deliberate distribution of power ensuring no single agency becomes the gatekeeper to digital life.
New Zealand is proposing to build exactly such a gatekeeper inside one of its most powerful departments. The infrastructure question and the governance question cannot be separated – and right now, only one of them is being answered.
The Department of Internal Affairs should be kept well away from age verification.
Catch up on the debates that dominated the week by signing up to our Opinion newsletter – a weekly round-up of our best commentary.