Australia's landmark law banning under-16s from social media, which came into force in December and was hailed as the world's first of its kind, is failing at the most fundamental stage of its technology implementation, according to new findings from the software testing firm that advised the government's original rollout. KJR, which ran a trial of age-assurance software on more than 1,000 Australians in 2025, opened 50 test accounts across platforms including Instagram, Snapchat, TikTok, YouTube, and X, declaring each account holder's age as 16, and found that not a single one was asked to verify their age before the account was activated. All 50 accounts remain active.
Andrew Hammond, director at KJR, described the finding in stark terms. "You should be asked to demonstrate how old you are, and not once have we been asked to verify our age or use age-assurance measures," he told Reuters. The accounts were distributed across nine of the ten platforms subject to Australia's age restrictions, meaning the failure is not isolated to a single company's implementation but is a systemic gap across the majority of the regulated platforms simultaneously. The law requires operators to take "reasonable steps" to prevent under-16s from having accounts, and the government recommended using multiple layered checks to determine age. What the KJR study found is that in practice, at least at the initial vetting stage, those checks are not being applied at all.
The implications for Australia's digital regulatory framework are direct and significant. The government has already doubled the maximum fine for non-compliance and warned of potential court action against five platforms by March. Australia's eSafety commissioner stated through a spokesperson that the regulator "remains confident that age-restricted platforms have the technology and resources they need to prevent Australian children under 16 from having accounts," a position that the KJR findings appear to contradict in practical terms. If age inference systems, which are supposed to flag accounts as potentially underage based on behavioural signals, are not catching even test accounts that explicitly declare themselves as 16, the technology layer the entire law depends on is not functioning as designed.
How the age-inference technology works, why it is failing, and what the X pornography case reveals about the gap between policy and platform reality
The technical flaw the KJR study identified sits at the first stage of the age-assurance process, a stage that has received less public scrutiny than the more visible photo-based age verification tools discussed during the law's rollout. The initial vetting stage works by attempting to infer a user's age range from their general online activity patterns, essentially guessing whether someone behaves like an adult or a minor based on their browsing and interaction data, before deciding whether to escalate to more robust identity checks. The KJR finding is that this inference mechanism is not triggering escalation even for accounts that explicitly declare their holder to be exactly at the legal minimum age of 16.
The consequences of that failure can be serious. One test account that signed up to Elon Musk's X declaring the user to be 16 was subsequently served pornographic content, a finding that illustrates precisely the harm the law was designed to prevent. Some test accounts received advertisements for youth banking products, suggesting the platforms did register an approximate age range for those users, but that recognition did not translate into an age verification request. The disconnect between a platform knowing a user appears young and taking no protective action based on that knowledge is the operational gap that the KJR study exposes most sharply.
Meta's response to the findings disputed the relevance of the test methodology, with a spokesperson arguing that Hammond's shadow trial appeared inconsistent with the regulator's guidance, which calls for escalation to formal age verification only "when behavioural indicators suggest they may be underage, or when an account is reported." The spokesperson also noted that dummy accounts declared as over the minimum age and that did not post content or engage in the way a genuine under-16 user would might not trigger the same escalation signals. That defence, however, implicitly concedes that the system depends on young users behaving in detectably young ways rather than simply lying about their age at signup, which is precisely the circumvention weakness that advisers to the original trial warned about from the beginning.
Why circumvention was the predicted failure mode that advisers flagged and regulators chose not to test for in 2025
The circumvention problem the KJR study now documents was not unforeseen. Colm Gannon, Australia CEO of the International Centre for Missing and Exploited Children, who advised the original 2025 trial, told Reuters that the issue of young users entering false birthdates was raised during the trial process but was explicitly excluded from the testing scope. "We did want to talk about circumvention, but we kept on being told that that wasn't part of the actual trial," Gannon said. "What we are now seeing is that circumvention has become the go-to by young people." That account of a known risk being deliberately set aside during the design phase of the trial is a significant regulatory process failure, not just a technology one.
The circumvention pathway is structurally simple: a person under 16 signs up to a platform and declares themselves to be 16 or older. If the platform's age inference system is not catching that self-declaration as suspicious, and the KJR findings suggest it is not, the entire enforcement chain fails at step one. The law prohibits platforms from relying solely on government-issued identification due to privacy concerns, which means there is no single definitive check that catches everyone, and the layered alternative approach requires each layer to actually function. A first layer that does not trigger escalation for accounts declaring the minimum legal age means the subsequent layers are never reached.
Amanda Third, a youth digital rights academic who advised the original trial and is participating in a two-year regulator study of the ban's impact, offered a more measured assessment, noting that platforms were always expected to begin by targeting accounts self-declared as underage before escalating to age inference methods by mid-2026. "The next round of data that's collected after this point, we may be able to see some more impressive statistics," she said. That framing acknowledges the current failure while leaving open the possibility of improvement, but it also means that for the better part of a year after the law came into force, the technology designed to protect under-16s from accessing social media has not been functioning as the legislation intended.
What Australia's experience means for global age verification regulation and the technology industry's compliance obligations
Australia's teen social media ban was designed to serve as a global model, and its implementation difficulties are being watched closely by governments in the UK, EU, and United States that are considering or advancing their own age verification requirements for online platforms. The KJR findings carry a direct lesson for that international audience: legislating an age restriction and mandating "reasonable steps" toward compliance produces very different outcomes depending on how those reasonable steps are technically defined, tested, and enforced. A law without a functional testing mechanism for circumvention is a law that the circumvention immediately defeats.
The platforms' defence that they are following the regulator's guidance on low-friction, staged verification reflects a genuine technical and privacy tension that any age verification framework must resolve. Requiring hard identity checks at signup creates data privacy risks and creates friction that drives users to less regulated alternatives. Relying on behavioural inference creates the circumvention gap the KJR study documents. Only Kick, a relatively new Australia-based live-streaming platform, required age proof before account creation, and its spokesperson explained the reason directly: as a new platform without extensive historical user data, it could not rely on behavioural inference, so it defaulted to a harder check. That reasoning inadvertently reveals that behavioural inference works, to the extent it works at all, only for platforms with large established user bases, not as a universal standard.
For the technology industry, the Australian experience is a case study in what happens when compliance obligations are defined by the regulated entities' own preferred methodologies rather than by independently verified performance standards. The eSafety commissioner's expression of confidence that platforms have the technology and resources needed to comply sits in direct tension with a study showing 50 accounts opened across nine platforms without a single age check. Resolving that tension will require either a more prescriptive technical standard for what constitutes adequate age verification, independent testing that platforms cannot design around, or enforcement consequences serious enough to change the current compliance calculus that appears to be treating the Australian ban as a box-ticking exercise rather than a genuine protection mechanism.

