Australia's Age Verification Law: A Design Failure Baked Into the Policy
Australia now requires adults to prove their age before accessing porn, R-rated games, and AI chatbots. Facial recognition. Digital IDs. Credit card details.
Nobody wants kids in dark corners of the internet. That part's right. The intent is sound. The execution is a case study in what happens when policy is written without anyone in the room who understands how products actually work.
What happened on day one
Pornhub blocked all Australian users rather than comply. A VPN app shot to number three on the App Store, right below ChatGPT and Claude.
The law's first real outcome: legal content became completely inaccessible for adults, and the workaround infrastructure built itself overnight.
That's not a side effect. That's a design failure baked into the policy itself.
The burden landed on the wrong people
Every adult in the country now has to hand biometric data to a private company just to access legal content. Think about that for a moment. Not suspected criminals. Not people doing anything wrong. Every adult, submitting facial recognition data or government ID, stored by private companies whose data security track records are... mixed.
Meanwhile, the kids the law was designed to protect? The ones who are determined have a VPN and five minutes. The barrier is trivially bypassable for anyone motivated enough to try.
This is the fundamental design flaw. The compliance burden falls entirely on the people who aren't the problem, while the target audience routes around it effortlessly.
The pattern Australia keeps repeating
Three months ago it was the social media ban for under-16s. Now this. Same pattern Australia keeps repeating, from the $64 million bus app to telling AI labs to build with 'Australian values': take a behaviour-change problem and convert it into a compliance checkbox.
Behaviour-change problems require behaviour-change solutions. Checkboxes feel decisive and look good in press releases. They just don't work.
A professor at ANU framed the actual design brief perfectly: build tech to support parents, not to replace their judgement. That's the right problem statement. It leads to a completely different set of solutions.
Robust parental controls baked into every operating system. Real minimum standards for app-level safeguards. Enforced. Audited. Updated as the technology changes.
That's a design problem. A solvable one. It's also harder, slower, and less dramatic than announcing a ban, which is probably why it keeps not happening.
Regulation sets the bar. Design is what makes it work.
Good regulation defines the outcome: children shouldn't have easy access to harmful content online. That's the bar.
But the mechanism matters. And the mechanism is a design problem. How do you protect children without surveilling adults? How do you enforce age restrictions without creating a biometric database that's one breach away from disaster? How do you make safety the default without making the internet worse for everyone?
These are hard questions. They require people who build products to be in the room when the policy is being written. The $2.5 trillion being spent on AI isn't solving these design problems either. Not after. Not as consultants who submit feedback that gets filed and forgotten. In the room.
Right now, Australia keeps writing the regulation and skipping the design. And every time, the outcome is the same: the people who need protecting find the workaround, and the people who don't need protecting bear the cost.
---
