The government’s plan to restrict children under 16 from accessing social media by June, using the framework of the Online Safety Act (ONSA), signals a strong commitment to youth protection. However, a “total lockout” approach and the proposed MyKad-based age verification raise critical practical and cybersecurity concerns.

A sweeping ban is a blunt regulatory tool that is notoriously difficult to enforce. Banning youths will inevitably drive them to use Virtual Private Networks (VPNs) or migrate to encrypted messaging apps like Telegram, rendering them entirely invisible to parents and regulators. What we need is to foster digital literacy alongside these restrictions.

In this context, Meta’s recent rollout of revamped “Teen Accounts” offers a highly instructive case study. By placing younger users under strict default settings for privacy, disabling recommendations for sensitive content, and embedding mandatory parental controls, Meta has provided a tangible blueprint for what “safety by design” looks like in practice, rather than relying on reactive moderation after the fact.

From a regulatory standpoint, this is a significant and welcome shift. By mandating safe, highly restricted environments, we give youths a secure “training ground” to develop digital resilience.
Rather than pursuing an unenforceable blanket ban, policymakers should use this model to establish an industry-wide baseline. The Malaysian Communications and Multimedia Commission (MCMC) regulatory sandbox should pivot from testing how to block youths entirely, to testing how to protect them. The upcoming ONSA subsidiary instruments should make these strict default privacy settings and restricted algorithmic feeds a mandatory licensing condition for all platforms operating in Malaysia.

This brings us to a major cybersecurity concern. The Communications Minister recently suggested standardising “age verification” using official government documents like the MyKad. If this verification requires platforms to directly collect and store MyKad, we are facing a massive risk.

Social media platforms suffer massive data breaches. The 2021 Facebook data leak exposed details of 533 million users, and in 2023, hackers posted email addresses linked to 200 million Twitter accounts. If social media giants cannot guarantee the absolute security of user data based on these past incidents, trusting them to directly verify and store our MyKad could expose millions to severe identity theft. Trading one potential harm for another, more severe one is a deeply flawed policy.

Furthermore, if age verification requires platforms to collect and store MyKad, it does not meet the spirit of data minimisation under Section 6 of Malaysia’s Personal Data Protection Act (PDPA). The General Principle of the PDPA dictates that personal data processed must be “adequate but not excessive” in relation to its purpose. We cannot create a system where ONSA requirements actively conflict with the spirit of the PDPA.

If age verification is deemed absolutely necessary, we must look to privacy-preserving global best practices. Rather than submitting MyKad to tech companies, Malaysia should adopt the “double-blind tokenised approach” recommended by Australia’s eSafety Commissioner.

This approach involves an independent, regulated third party that verifies a user’s age. This verifier then provides a secure token to the social media platform, confirming only that the user meets the age requirement. Crucially, the platform never receives or handles the user’s personal identification documents, thereby protecting their privacy.

We must protect our youths, but not at the expense of their digital literacy or national data security. By pivoting towards mandated “safety by design” and privacy-preserving tokenisation, Malaysia can create a gold-standard regulatory framework that avoids the dangerous pitfalls of blunt bans and mass data collection.