Starmer's Resignation Leaves UK's Social Media Ban, Digital ID Plans in Limbo

A week earlier, Starmer had delivered a very different kind of announcement – one that drew strong support within the party.

"Today is a big moment for our country," he said on 15 Jun. "Today, I can announce that the Government will ban access to social media for all children under the age of sixteen."

The announcement was framed as a measure to protect children from distraction and potential harm online. From spring 2027, age verification mechanisms will be required to access platforms such as YouTube, X, Facebook and Instagram, extending the mandate of the Online Safety Act, which had introduced mandatory age verification for websites hosting sensitive content in 2025.

"Laws are rules, but they are also an expression of our values," Starmer concluded. "They shape the social contract."

For privacy advocates – inside and outside crypto – the shaping of that social contract raises a concern that goes well beyond teenagers. The implications reach into crypto directly: exchanges, DeFi platforms and wallet providers operating in the UK could face the same age verification infrastructure, raising questions about who controls the identity layer sitting beneath all online financial activity.

"A ban on under-16s is impossible to implement in a way that only affects under-16s," said Joe Andrews, CEO of Aztec Labs, a company that develops blockchain-based privacy products. "The only way to keep a teenager off a platform is to check the age of everyone signing up, so a rule aimed at children alone becomes an ID requirement for the whole country."

That ID requirement has become the central fault line in the debate over whether the ban can be implemented without eroding the online freedom of all UK internet users.

Where the ban came from 

The first major enforcement of the Online Safety Act in 2025 had already stirred concern among privacy advocates. Citing a 79% rise in online data breaches over the past five years, according to the Identity Theft Resource Centre, they argued that requiring users to upload sensitive documents such as passports could only compound the risk.

"Every platform will now require you to hand a passport or a face scan to a verification vendor, and every one of those vendors becomes a honeypot of real IDs waiting to leak," said Andrews. "We saw it with the Online Safety Act checks last year, we saw it again when a provider connected to Discord leaked tens of thousands of government ID images, and we've seen it countless times over the years. Millions of adults take on the real risk – identity theft and fraud – for a measure that determined teenagers could easily route around with a VPN anyway."

Raido Saar, founder and CEO of digital ID provider ComplyOnce, noted that criminals had already accessed the data of 200mn Pornhub users in December 2025, including email addresses, viewing activity and location data. "This data is not only private – it is really delicate," he told Sandmark. "It is valuable on the dark web and is really usable for extortion and quieting your political opponents."

Preserving privacy online

The Online Safety Act restrictions arrived two months before the UK government announced plans for a mandatory digital ID scheme to prove the right to work, introduced without public consultation. An eight-week consultation period was eventually delayed until March 2026.

Given the government's latest moves, "some sort of digital ID is kind of inevitable," said Roxana Nasoi, spokesperson at Logos, a decentralized community that develops blockchain-based privacy technology. The design of that ID, she argued, will determine whether citizens retain meaningful control over their own data.

In crypto, many have turned to zero-knowledge (ZK) proofs as a potential solution. The technology – a method of cryptography that lets one party prove something is true without revealing the underlying information – allows an ID holder to share only what is necessary for a given verification, and in some designs, to set a time limit on how long that verification remains valid.

Consumer-facing products using ZK proofs have only recently gained traction. "What has changed recently is that ZK has gotten fast and cheap enough to use," said Andrews. "A proof used to be too slow and expensive for consumer products, and now a lot of it runs on a normal phone."

Not fully mature

Despite the promise, Nasoi cautioned that even crypto-native identity providers have struggled to deploy ZK proofs at scale, pointing to two unresolved challenges.

The first is selective disclosure – the ability to share one detail and nothing more. "There are these small privacy leaks that could ultimately lead to the identification of a real person," she said. Research by Brave on the limits of zero-knowledge age verification found that proofs still leak metadata: the record of when a proof is shown and to whom, even when the contents remain hidden. Combining several proofs – an age check alongside a residency check, for instance – can build a profile of a user without ever accessing the underlying document. The firm warned that a poorly designed system "may provide more identifying information than the web currently exposes."

The second challenge is revocation – deciding who can cancel a credential and how a person replaces one. "It's a major centralization point, and it can't really be solved with decentralized technology," Nasoi said, because the issuer must be granted authority. Without decentralization, the centralized entity becomes precisely the data honeypot that Andrews warned of. The power to revoke a credential also creates its own pressure point: a government or employer can compel an ID holder to unlock it and expose their full activity.

Identity monopoly

In a research briefing published in March, the government indicated that the digital ID would be built in-house, leaving little room for iteration or competitive challenge. The original plan had involved third-party providers competing for a government contract. The social media ban removes that opening by routing verification through the platforms themselves.

"You can't challenge their decision because it's not a government contract any more. It just says if you don't do it, you can't operate in the UK," said Nasoi.

The UK has stated that digital IDs "can offer privacy protection" but has released little detail on how privacy will be designed into the system, or whether ZK proofs will be used at all.

Doro Unger-Lee, now Deputy Director of Development at Corpus Christi College Cambridge and formerly Global University Programme Lead at Ava Labs – the company behind the Avalanche (AVAX) blockchain – organised a roundtable on privacy-preserving technology at the House of Lords in November 2025. She posted on LinkedIn shortly after that the discussion had concluded "the technology and standards are here. The gap is governance, incentives and political will." Nasoi, who attended, noted that none of the Lords were present and that the Baroness chairing the event was "completely overwhelmed because it was highly technical."

The roundtable, which included experts on data ownership, academics, technologists and biometric identity developers, reached a consensus that decentralized technologies are preferable to centralized ones for digital ID – but stopped short of identifying what could be deployed immediately.

The picture is no clearer in Europe. Under the updated eIDAS regulation, every EU member state must offer citizens a digital identity wallet by the end of December 2026. Most states remain at the pilot stage. "They are complaining that they cannot deliver zero-knowledge proofs," said Saar, drawing on his experience with digital identity providers across the continent.

Internet users carry the risk

Privacy advocates point to a pattern of historical cases in which online data collection has been weaponized for identification, surveillance and influence – a pattern they argue an age-gated social media regime will only extend.

The first example, highlighted by Aztec's Andrews, was the 2006 AOL search logs scandal. The company released a large excerpt of anonymized search queries, intended for independent research. However, unique user numbers attached to the searches allowed reporters from The New York Times to identify individual users. AOL quickly took down the data, but by then it had already been copied and spread widely across the internet.

"Your location history gets sold and shows where you live and who you visit," said Andrews. "The shopping you did gets fed into a pricing model that sets your insurance. A dataset leaks once and follows you for a decade. You can't reissue your face the way you reissue a card. None of this stems from you having done anything wrong."

The second example, cited by Nasoi, is the Cambridge Analytica scandal of the 2010s. The research firm was accused of using personal data connected to 87mn Facebook profiles to psychologically target users and assist the presidential campaigns of Ted Cruz and Donald Trump in 2016. It was also accused of helping the Leave.EU Brexit campaign, although later official investigations found no significant evidence of data misuse in that case.

Protecting consent

Both cases, in the advocates' view, point to a more profound problem that an age-gated social media ban amplifies: the routine collection of identifiable credentials as the price of operating online.

"The real battle should be around protecting consent," said Nasoi. "Privacy is consent to access what makes you who you are. The erosion of consent to internet data is the erosion of online privacy, which has triggered a decline in internet freedoms over the past 20 years, and has impacted civil society."

Freedom House's latest Freedom of the Net report found that of the 5.5bn people with internet access, 81% live in countries where people have been imprisoned for an online post. Although the US, Canada, the UK and much of Western Europe retain their "free" classification, the report warned that increasing government restrictions have brought several close to losing it. "The most important factor determining whether governments will deploy this technology for repressive purposes is the quality of their governance," it stated.

Running beneath all of this is a concern that policy is moving faster than the technology available to implement it without compromising privacy. "It's going to open up so many issues. Maybe some of them we haven't even grasped yet," said Nasoi.

For now, messaging services such as WhatsApp are excluded from the age verification requirement. The government has said further details on which platforms will be subject to verification and on the use of VPNs will follow in July. No statements on the social media ban have been issued since Starmer's resignation. 

The Labour Party had not responded to Sandmark's request for comment at the time of publication.