{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreic72ykotocmmypgt4kzod24yzuaejo6nu2rjnjocmeo7ib3zveltq",
"uri": "at://did:plc:sl2hrcwo6voaorzsr26d3bo2/app.bsky.feed.post/3mk6xhx6pkqs2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreier3ktycuyqscpvuptcp7niq2moklkjwpn3gooxnqj3sz3c4434za"
},
"mimeType": "image/jpeg",
"size": 67018
},
"description": "How the Department of Internal Affairs is building a social media surveillance regime before parliament has spoken.",
"path": "/this-is-evidence-of-control-creep/",
"publishedAt": "2026-04-23T21:30:31.000Z",
"site": "https://goodoil.news",
"tags": [
"David Harvey",
"here",
"A Halfling’s View"
],
"textContent": "David Harvey\n_Retired district court judge_\n\n# The Bill and the Bureaucracy\n\nA bill is currently before parliament. The Social Media (Age Restricted Users) Bill proposes to require providers of designated social media platforms to take all reasonable steps to prevent users under 16 from holding accounts.\n\nThe legislation has broad political support. It was introduced by National MP Catherine Wedd. National backs it. Labour will not miss an opportunity to regulate. The numbers are there. In some form it will pass.\n\nWhat should concern New Zealanders is not the bill itself – the question of whether social media is harmful to adolescents is legitimate and contested – but what is being built in its name, by whom, and on whose authority, before a single clause has become law.\n\nOn Monday 20 April 2026, the Department of Internal Affairs posted an advertisement for a programme implementation director (PID) to lead the establishment of a new regulatory regime for under-16 social media restrictions. The advertisement described the programme as “high-profile” and “time-critical”.\n\nBy Wednesday 22 April, the advertisement had been withdrawn. Highly ironic for a government agency that deals with censorship.\n\nBut not before its contents revealed, in the careful language of bureaucracy, exactly how far advanced the DIA’s preparations already are – and exactly why those preparations should alarm anyone who cares about civil liberties in New Zealand.\n\n# What the DIA Is – and Why That Matters\n\nThe Department of Internal Affairs is not a neutral administrative body. It is one of the most operationally powerful agencies in the New Zealand state. It issues passports and grants citizenship. It registers births, deaths, and marriages. It operates the RealMe digital identity verification service and administers the Digital Identity Services Trust Framework.\n\nIt enforces censorship law under the Films, Videos and Publications Classification Act 1993. It maintains internet blocklists, issues formal takedown notices to online platforms, and investigates and prosecutes individuals for objectionable content online.\n\nWithin the DIA, the unit being tasked with the social media age restriction programme is Digital Safety and Identity Investigations – the department’s self-described “front line against online harm”. This unit houses the Digital Child Exploitation Team, the Digital Violent Extremism Team, the content classification function, and the anti-spam enforcement operation. The programme implementation director will sit within this branch, reporting to its general manager.\n\nThis is not a technicality. It is a structural choice with profound implications. The agency now being handed the levers of a social media age-verification regime is the same agency that decides what New Zealanders may legally view online, that operates the systems through which New Zealanders prove who they are, and that already holds the biometric data of every passport holder in the country.\n\nThe convergence of these functions in a single department – identity management, censorship enforcement, and now platform access regulation – is not the result of careful institutional design. It is the result of administrative convenience and the absence of political will to do this properly.\n\n# The Advertisement: Policy Before Law\n\nThe job description for the programme implementation director (PID) makes clear that this is not exploratory or contingency work. The DIA is not preparing options for ministers to consider once legislation passes. It is already designing the operational model, building the governance structures, defining the regulatory processes, and preparing to engage with social media companies about compliance expectations.\n\nThe role requires the PID to “lead organisation design for the Phase 1 regulator, ensuring clear accountabilities, scalability and alignment with policy intent” and to “lead the translation of legislative policy into operational settings, service models and regulatory processes”.\n\nEarly engagement with social media providers is already planned, with the PID expected to “support readiness, cooperation, and shared understanding of regulatory expectations”.\n\nNone of this is contingent on parliamentary approval. The DIA is treating the bill’s passage as a foregone conclusion – and acting accordingly.\n\nThere is a further irritant in the job description’s priorities. Among the listed responsibilities in a more detailed job description, which is, co-incidentally no longer available, is the requirement to ensure that:\n\n> Te Tiriti o Waitangi considerations are embedded in governance, design, engagement, and delivery of online safety interventions.\n\nThis is, as a stand-alone aspiration, unobjectionable. But it sits in a document that contains not a single reference to the New Zealand Bill of Rights Act 1990, to freedom of expression under section 14, or to the requirement under section 5 that any limitation on fundamental rights be demonstrably justified in a free and democratic society.\n\nThe preference for embedding vague Treaty considerations over statutory obligations to fundamental rights is revealing. It suggests that the DIA’s operational design is proceeding without adequate legal scrutiny of the legislation it is being asked to implement.\n\n# The Freedom of Expression Problem\n\nThe stated purpose of the bill is narrow: to reduce harm to children from designated social media platforms.\n\nBut the mechanism required to enforce it is anything but narrow. To prevent under-16s from holding accounts, providers must verify that every account-holder is 16 or older. There is no workable age verification system that applies only to children. As Privacy Commissioner Michael Webster has stated plainly, “to ensure under-16s are not accessing social media, all users over 16 will be required to verify their age”.\n\nThis is the central paradox the bill’s architects have not adequately addressed. A law designed to protect children’s privacy will require every adult in New Zealand to submit to identity verification simply to use the most common communication tools on the internet.\n\nSocial media is no longer a luxury or an entertainment product. It is where political debate occurs, where journalists publish, where protest is organised, where communities form and maintain themselves.\n\nA regime that conditions entry to that space on prior identity verification does not merely inconvenience adults. It imposes a chilling effect on speech – the knowledge that participation is logged, verified, and traceable – that strikes at the foundation of free expression.\n\nThe bill’s promoters have largely dismissed this concern, asserting the bill does not breach the NZBORA without adequately explaining why mandatory identity verification as a condition of online speech constitutes a reasonable limitation demonstrably justified in a free and democratic society.\n\nThat is not an adequate answer. It is not, in fact, an answer at all. The New Zealand Council for Civil Liberties has expressed concern that the bill infringes the Bill of Rights Act, the Privacy Act 2020, and the UN Convention on the Rights of the Child. These are not fringe objections. They are mainstream constitutional concerns that deserve rigorous legislative analysis, not dismissal.\n\n# The Identity Infrastructure Trap\n\nThe privacy risks of any age verification system are substantial. Webster has warned that such systems could rely on government-issued documents including passports, that age estimation technologies have high error rates, and that age inference technologies rely on data mining.\n\nEach of these pathways creates risks of data collection, data retention, and data misuse that the bill, as currently drafted, does not adequately address.\n\nAustralia’s equivalent legislation includes explicit protections: platforms are barred from requiring government-issued identity documents such as passports for age verification, and verified data must be promptly destroyed.\n\nNew Zealand’s bill contains no equivalent safeguards. This is not an oversight. It is an open door through which the DIA’s existing identity infrastructure – RealMe, the Digital Identity Services Trust Framework, the Identity Check facial recognition service already used by more than 75,000 New Zealanders – could naturally expand into the governance of social media access.\n\nThe civil liberties organisation PILLAR has argued the bill would do little to protect children but would instead “create serious privacy risks” and limit digital freedoms, warning that forcing citizens to share personal data for age verification could increase the risk of surveillance and data misuse. These concerns are not theoretical.\n\nAny age verification system generates metadata at scale: records that a particular individual of a particular age sought access to a particular platform at a particular time. Even where underlying identity documents are not retained, this metadata is a surveillance resource of extraordinary scope. Verification tools that are supposed to delete data after processing have, in practice, stored that data for longer than declared, and data can be intercepted and stolen before deletion.\n\nThe DIA already holds the details and photographs of every passport holder. It already holds biometric data from the Identity Check facial recognition service.\n\nAdding social media verification to this portfolio does not merely expand the DIA’s administrative remit. It creates a single point of failure – and a single point of potential abuse – for the digital identity of every New Zealander.\n\n# Censorship by Institutional Creep\n\nThe DIA’s censorship function is not peripheral to its operations. It is structural.\n\nThe Films, Videos and Publications Classification Act provides the legal foundation for the Digital Safety Group’s work, authorising the department to restrict access to harmful content and prevent access to banned material.\n\nThe department maintains internet blocklists, issues takedown notices to platforms, and investigates individuals for content-related offences. This is not passive regulation. It is active enforcement.\n\nPlacing this same agency in charge of designating which platforms are age-restricted – a power that rests with the minister but which the DIA will operationalise – and of enforcing compliance creates an institutional pathway through which the scope of restricted content can expand over time.\n\nPlatforms designated as age-restricted become, in practical terms, platforms made difficult to access. The history of censorship regimes provides no examples of agencies that, once given authority to restrict access, consistently chose to exercise that authority narrowly. Institutional incentives run in the other direction.\n\nThe parliamentary Education and Workforce Committee acknowledged that VPNs can circumvent local restrictions – an observation that amounts to an admission that the regime will be technically ineffective against determined users. When enforcement fails against technically sophisticated users, the institutional pressure will be to expand enforcement powers, not to accept the limitation.\n\nUnder DIA administration, that pressure will fall on an agency already oriented, by its existing mandate, towards content control and platform restriction.\n\n# The Political Question Nobody Is Asking\n\nThe original location of this legislation, once the National Party decided to back it, was in the education portfolio, under Minister Erica Stanford. The inquiry by the Education and Workforce Committee, which received 430 submissions and produced two reports, reflected a harm prevention framework centred on children’s wellbeing and digital literacy. That inquiry – whatever its limitations – was at least grounded in the right institutional question: how do we protect children from online harm?\n\nSomewhere between that inquiry and the DIA job advertisement, the framing shifted. The question is no longer how to protect children. It is how to build a regulatory enforcement regime – one that sits, not in the education sector, nor in an independent regulator, but in the same department that censors content, issues passports, builds digital identity infrastructure, and investigates citizens for what they say and share online.\n\nThat shift deserves political scrutiny it has not received. The ACT minister previously responsible for the DIA – Brooke van Velden, who abandoned the ill-conceived Safer Online Services and Web Platforms project – is leaving politics. Her departure appears to have created a vacuum in which the DIA has been permitted to advance this programme without adequate ministerial oversight.\n\nACT’s stated position – that digital ID for age verification should not be a government priority, and that a careful, sophisticated response is needed – has been overtaken by events inside the department ACT is nominally responsible for.\n\nThe question of how pre-emptive platform regulation squares with ACT’s opposition to market intervention, and whether this programme represents a coalition concession by ACT, has not been answered publicly. It should be.\n\n# What Should Happen Instead\n\nNone of this is an argument that social media harm to children is not real, or that no legislative response is warranted. It is an argument about institutional design, the separation of powers, and the conditions under which fundamental rights can be legitimately constrained.\n\nIf New Zealand is to implement a social media age-restriction regime, it should do so by establishing an independent online safety regulator – as the parliamentary committee itself recommended – rather than assigning administration to the DIA.\n\nIt should prohibit the use of government-issued identity documents for age verification, as Australia has done.\n\nIt should require immediate destruction of all verification data after each transaction is completed.\n\nIt should subject any designated verification system to independent oversight by the Privacy Commissioner.\n\nAnd it should ensure that the legislation contains robust, judicially reviewable protections for freedom of expression – not a perfunctory assertion that the bill raises no rights concerns.\n\nThe protection of children from online harm and the protection of adult New Zealanders from an overreaching surveillance state are not competing priorities.\n\nA properly designed regime can honour both.\n\nWhat the DIA is building – before the legislation has passed, without adequate rights analysis, in a department that already combines identity management, censorship enforcement, and digital infrastructure administration – does not honour either.\n\n**_Post Script_**\n\n _The withdrawal of the job advertisement two days after it was posted suggests that someone, somewhere, recognised the problem. That is not reassuring. It means the programme continues – only now, less visibly._\n\n_As it happens a new advertisement was posted_ here_after this article was finished. It makes little difference to the article and its argument, although some of the language is less strident._\n\n_Positive words like “will” and “can” become “could”. References to a “regulatory regime” becomes a “potential new regime”._\n\n_Importantly a detailed document relating to the expectations of the applicant in various key areas, which was referenced with a link in the original advertisement, is not mentioned. This document contains quite a bit of detail that is now less visible._\n\n_The words may have changed but the message and the sentiment remain the same._\n\n_This article was originally published by_ A Halfling’s View_._",
"title": "This Is Evidence of Control Creep",
"updatedAt": "2026-04-23T21:30:30.697Z"
}