THE government’s plan to restrict children under 16 from accessing social media by June, using the framework of the Online Safety Act (Onsa), signals a strong commitment to youth protection. However, a “total lockout” approach and the proposed MyKad-based age verification raise critical practical and cybersecurity concerns.

A sweeping ban is a blunt regulatory tool that is notoriously difficult to enforce. Banning youths will inevitably drive some to use virtual private networks (which create encrypted Internet connections that allow private browsing) or migrate to encrypted messaging apps like Telegram, rendering them entirely invisible to parents and regulators. What we need is to foster digital literacy alongside these restrictions.

In this context, Meta’s recent rollout of revamped Teen Accounts offers a highly instructive case study. (Meta owns and operates Facebook, Instagram, WhatsApp, Messenger, and Threads. It introduced Teen Accounts in Instagram in late 2024 and extended them to Facebook and Messenger in 2025; a revamp to Instagram Teen Accounts was released this month.)

By placing younger users under strict default settings for privacy, disabling recommendations for sensitive content, and embedding mandatory parental controls, Meta has provided a tangible blueprint for what “safety by design” looks like in practice, rather than relying on reactive moderation after the fact.

From a regulatory standpoint, this is a significant and welcome shift. By mandating safe, highly restricted environments, we give youths a secure “training ground” to develop digital resilience.

Rather than pursuing an unenforceable blanket ban, policymakers should use this model to establish an industry-wide baseline. The Malaysian Communications and Multi-media Commission’s current regulatory sandbox should pivot from testing how to block youths entirely to testing how to protect them.

The upcoming Onsa subsidiary instruments should make these strict default privacy settings and restricted algorithmic feeds a mandatory licensing condition for all platforms operating in Malaysia.

This brings us to a major cybersecurity concern. The Communications minister recently suggested standardising “age verification” using official government documents like the MyKad. If this verification requires platforms to directly collect and store MyKad data, we are facing a massive risk.

Social media platforms suffer massive data breaches. The 2021 Facebook data leak exposed the details of 533 million users, and in 2023, hackers posted e-mail addresses linked to 200 million Twitter accounts.

If social media giants cannot guarantee the absolute security of user data based on these past incidents, trusting them to directly verify and store our MyKad data could expose millions to severe identity theft. Trading one potential harm for another, more severe one is a deeply flawed policy.

Furthermore, if age verification requires platforms to collect and store MyKad data, it does not meet the spirit of data minimisation under Section 6 of Malaysia’s Personal Data Protection Act (PDPA). The General Principle of the PDPA dictates that personal data processed must be “adequate but not excessive” in relation to its purpose. We cannot create a system where Onsa requirements actively conflict with the spirit of the PDPA.

If age verification is deemed absolutely necessary, we must look to privacy-preserving global best practices. Rather than submitting MyKad data to tech companies, Malaysia should adopt the “double-blind tokenised approach” recommended by Australia’s eSafety Commissioner.

This approach involves an independent, regulated third party that verifies a user’s age. This verifier then provides a secure token to the social media platform, confirming only that the user meets the age requirement. Crucially, the platform never receives or handles the user’s personal identification documents, thereby protecting their privacy.

We must protect our youths, but not at the expense of their digital literacy or national data security. By pivoting towards mandated “safety by design” and privacy-preserving tokenisation, Malaysia can create a gold-standard regulatory framework that avoids the dangerous pitfalls of blunt bans and mass data collection.

THULASY SUPPIAH

Kuala Lumpur

The writer is a senior lawyer focusing on artificial intelligence, data centres, and cybersecurity.