2. Web2 is not the open Internet
A central mistake is treating “social media,” “the Internet,” and “free speech” as a single object. They are not the same thing.
The open Internet
Websites, forums, blogs, email lists, RSS feeds, libraries, archives, open-source repositories, search, small communities, public-health signals, whistleblower channels, and support networks. Its healthier forms are user-directed: one searches, subscribes, reads, publishes, leaves, and returns.
Web2 social media
Centralized, mobile-first, advertising-funded, behaviorally tracked, algorithmically ranked, socially gamified, and optimized for engagement. It does not merely host speech; it shapes attention and rewards whatever keeps users scrolling.
The metaphor matters. The open Internet is closer to a library, printing press, public square, emergency network, and bulletin board. Web2 social media is closer to a behavioral casino attached to a surveillance-advertising business model.
If the harm comes from the casino mechanics, the remedy should regulate the casino mechanics. KYC regulates the person entering the building. Product-safety regulation regulates the slot machine.
3. AI strengthens the need for better architecture, not identity checkpoints
AI makes the problem more urgent. It can scale persuasion, deception, personalization, deepfake abuse, chatbot intimacy, automated harassment, and behavioral targeting. It can also help audit platforms, assist moderators, detect dangerous patterns, and support human caregivers when designed with safeguards.
The lesson is not “AI is bad” or “AI is good.” The lesson is that high-power systems need institutional constraints. Bender and coauthors warned that large language models can reproduce bias, obscure accountability, and generate fluent but unreliable language at scale.10 Research on human-AI collaboration in peer mental-health support shows a better direction: AI can improve outcomes when it augments human support rather than replacing human judgment or manipulating users.11
AI also makes identity infrastructure more dangerous. A world of biometric age checks, persistent identity tokens, platform-level behavioral profiles, and AI-driven inference is not merely a privacy inconvenience. It is a machinery for automated sorting, exposure, coercion, and repression. Narayanan and Shmatikov’s de-anonymization research showed years ago that supposedly anonymized social-network data can often be re-identified through network structure alone.12 AI increases the scale and precision of those inferences.
4. Cypherpunk principles are social goods, not antisocial loopholes
The strongest version of the anti-KYC argument is not corporate libertarianism. It is a civil-rights and public-health design ethic: do not centralize identity, surveillance, and speech control in systems that future governments, corporations, abusers, criminals, or hostile states can exploit.
Cypherpunk principles begin from a social reality: power is asymmetric. Governments, platforms, employers, schools, landlords, police departments, mobs, and abusive households often have more power than the individual speaker. Privacy tools reduce that asymmetry. They are not only individual conveniences; they are public goods that make dissent, whistleblowing, minority identity exploration, source protection, and safe help-seeking possible.
Eric Hughes’s 1993 Cypherpunk’s Manifesto begins with the claim that “privacy is necessary for an open society.” Hughes distinguishes privacy from secrecy: privacy is selective revelation, not universal concealment.13 The United Nations Special Rapporteur David Kaye reached a similar human-rights conclusion in 2015: encryption and anonymity enable people to exercise freedom of opinion and expression in the digital age and deserve strong protection.14
John Gilmore’s line that “the Net interprets censorship as damage and routes around it” captured an engineering culture of resilience, not an excuse for harassment.15 Gilmore also coauthored the peer-reviewed Journal of Cybersecurity article “Keys Under Doormats,” which warned that mandated exceptional access to communications would increase system complexity, create concentrated attack targets, and undermine security.16
Privacy by default
Protects victims, patients, whistleblowers, dissidents, closeted youth, stigmatized groups, and ordinary citizens from forced exposure.
Strong encryption
Protects everyone’s security: children, hospitals, journalists, schools, banks, activists, families, and public agencies.
Pseudonymity
Allows lawful participation without legal-name exposure, while still permitting reputation, moderation, and due-process escalation for serious abuse.
Decentralization
Reduces the power of any single platform, billionaire, regulator, or mob to determine who may speak and what may be seen.
Data minimization
Prevents platforms from collecting data they do not need, lowering breach risk, profiling risk, and abuse risk.
User agency
Supports user-chosen feeds, transparent rules, portable social graphs, appeals, and controls instead of opaque algorithmic manipulation.
5. “Free speech for whom?” is the right question
Free speech cannot mean unlimited reach for the powerful while the vulnerable absorb harassment. It cannot mean racism, doxxing, threats, targeted abuse, fraud, nonconsensual intimate imagery, or algorithmic amplification of lies. “Free speech at any cost” is not the argument.
The real principle is narrower and stronger:
Forced identification does not burden everyone equally. It burdens people who need privacy most: abuse survivors, whistleblowers, undocumented workers, LGBTQ youth in hostile homes, religious minorities, dissidents, labor organizers, stigmatized patients, journalists’ sources, and people documenting racism or police abuse.
Research supports this concern. A systematic review in JMIR found that social media can support LGBTQ youth through peer connection, identity management, and social support; anonymity, multiple accounts, audience restriction, and strategic disclosure can help youth navigate unsafe environments.17 Haimson and Hoffmann’s study of Facebook’s “authentic identity” policy found that real-name enforcement created problems for transgender and gender-variant users, drag performers, Native Americans, abuse survivors, and others whose identities did not fit a rigid administrative naming system.18
Moderation systems can also reproduce inequality. Haimson and colleagues found that transgender and Black users in their dataset experienced disproportionate content and account removals; transgender users’ removed content was often related to queer or trans issues, and Black users’ removed content was frequently related to racial justice or racism.19
So the answer to “free speech for whom?” is: for the people least able to survive forced exposure. Not for harassment. Not for racism. Not for lies. But for the vulnerable person who cannot safely speak under a legal name.
Back to top ↑6. Why Internet KYC is the wrong policy layer
Starmer-style age assurance is often described as “KYC for the Internet.” Strictly, the UK debate is framed around age assurance, under-16 social-media restrictions, and Online Safety Act enforcement, not universal banking-style KYC for every website. But once general-purpose platforms must distinguish under-16s from everyone else, every adult must also prove they are not under 16. Age assurance becomes an identity or credential layer for major parts of digital life.
Recent reporting says the UK plan would block under-16s from major platforms such as Snapchat, TikTok, YouTube, Instagram, X, and Facebook, while excluding WhatsApp and Signal. Reported enforcement methods include facial age estimation, digital IDs, and bank verification. Critics warn that a ban may create a false sense of safety and push children toward riskier services.20 The UK is also considering whether platforms should prioritize “trusted news” in feeds and search, which illustrates how quickly age assurance, ranking policy, and state involvement in information visibility can overlap.21
| Policy test | KYC / broad age-gating | Design-layer regulation |
|---|---|---|
| Question asked | Who are you? | What is the platform doing? |
| Target | User identity and access. | Recommenders, ads, dark patterns, contact features, and amplification. |
| Specificity | Low. It burdens many lawful, beneficial uses. | Higher. It targets the mechanisms that produce compulsive use and harm. |
| Privacy risk | High. It normalizes identity checkpoints and verification intermediaries. | Lower. It can be implemented with audits, design rules, and data minimization. |
| Distribution | Hits undocumented people, abuse survivors, LGBTQ youth, dissidents, and people without stable documentation hardest. | Improves the product environment without requiring legal-name exposure. |
| Tail risk | Creates reusable infrastructure for censorship, surveillance, and political expansion. | Creates rules for harmful product features while preserving civil-liberties guardrails. |
Bad messengers do not settle the issue. A politician may invoke “free speech” opportunistically. A billionaire may use free-speech language to defend his own power. That hypocrisy should be criticized. But hypocrisy by a messenger does not make identity-gated Internet policy safe. The policy must be judged by its structure: who gains power, what infrastructure is built, who is exposed, who is chilled, and how easily the system can be expanded.
Chilling effects are empirically real. Jon Penney’s peer-reviewed study found that surveillance and legal threats can chill lawful online speech, search, and personal sharing; it also found a useful nuance, namely that targeted anti-cyberbullying laws may increase some women’s willingness to share online.22 Stoycheff’s study found that perceived surveillance can suppress expression of minority political views online.23 King, Pan, and Roberts’ study of Chinese censorship found that censorship often targets collective-action potential rather than mere criticism.24
7. A better regulatory program: serious, targeted, and civil-liberties preserving
The alternative to Internet KYC is not laissez-faire. It is a tougher and more precise regulatory program aimed at the actual machinery of harm.
Ten concrete measures
- Ban behavioral advertising and profiling for minors. Children should not be targeted based on inferred insecurity, sexuality, impulsivity, depression, body-image vulnerability, family conflict, or emotional state.
- Require non-personalized feeds by default for minors. Chronological, subscription-based, topic-bounded, or user-selected feeds should be the default; engagement-maximizing recommender systems should be opt-in and easy to disable.
- Restrict addictive design patterns. Limit infinite scroll, autoplay, streaks, late-night push notifications, public popularity metrics, manipulative prompts, and reward loops designed to extend use.
- Audit recommender systems for child harm. Platforms should have to test whether their systems amplify self-harm, eating-disorder content, sexualized content, racist content, bullying pile-ons, extremist content, or compulsive-use loops.
- Restrict adult-stranger contact with minors. Limit unsolicited adult DMs, child livestreaming, child discoverability, and algorithmic surfacing of minors to adult audiences.
- Regulate AI companions and synthetic intimacy products for minors. High-risk AI companions should face special duties around age-appropriate design, crisis escalation, dependency, sexual content, manipulation, and transparency.
- Provide privacy-safe researcher access. Independent researchers need audited access to platform data to evaluate harms, but under strict privacy and security constraints.
- Require transparent, appealable moderation for actual abuse. Threats, doxxing, stalking, sextortion, swatting, nonconsensual intimate imagery, fraud, and targeted harassment should face fast enforcement with due process.
- Preserve pseudonymity for lawful speech. Use reputation systems, rate limits, account history, anti-spam controls, friction, and warrant-based escalation for serious abuse — not universal legal-name exposure.
- Break platform lock-in. Interoperability, data portability, portable social graphs, open protocols, and user-chosen algorithms reduce monopoly power and make it easier to leave unhealthy platforms.
The EU Digital Services Act points toward some of this model: targeted-ad restrictions for children, limits on dark patterns, transparency duties, non-profiled recommender options, systemic-risk assessments, independent audits, and data access for vetted researchers.25 That regulatory direction is more promising than treating every user as an identity object.
8. What the cyberbullying, humane-tech, and AI sources get right
The cyberbullying literature is not the enemy of an anti-KYC argument. It is part of the argument. Patchin, Hinduja, and related researchers show that online harms are real and deserve targeted intervention. Their work strengthens the case for anti-harassment enforcement, school climate work, victim support, platform accountability, and prevention — not for universal identity exposure.
The humane-technology critique also fits this framework. Tristan Harris and related critics are right that engagement-maximizing design can exploit attention, especially in young people. But that critique points toward regulating infinite scroll, autoplay, persuasive design, recommender systems, and advertising incentives — not toward making every adult and child pass through an identity checkpoint to participate online.
The AI critique fits too. AI increases the stakes of design, persuasion, misinformation, deepfakes, synthetic intimacy, and automated abuse. But the answer is not to attach every person’s legal identity to every act of online reading or speech. The answer is risk-based AI governance, content provenance where appropriate, bans on nonconsensual sexual deepfakes, liability for harmful deployments, independent audits, privacy-preserving safety tools, and human oversight.
Conclusion
The best response to the current crisis is neither “free speech at any cost” nor “trust the state and platforms to identity-gate the Internet.”
Web2 social media is harmful enough to regulate seriously. But KYC is the wrong layer. The problem is not that people can speak anonymously. The problem is that a handful of platforms built engagement machines that profit from compulsive use, social comparison, harassment, outrage, racism, misinformation, behavioral profiling, and opaque recommender systems.
Cypherpunk principles should be understood as social goods: privacy, encryption, pseudonymity, decentralization, data minimization, and user agency are not ways to avoid society. They are ways to protect society from concentrated power. They help vulnerable people speak, organize, seek help, report abuse, and resist domination.
- Protect children from Web2.
- Protect the open Internet from identity checkpoints.
- Punish threats, harassment, doxxing, stalking, sextortion, fraud, and abuse.
- Preserve anonymity and pseudonymity for lawful speech.
- Ban behavioral advertising to minors.
- Require non-personalized feeds by default.
- Audit recommender systems and AI companions.
- Restrict infinite scroll, autoplay, manipulative notifications, and dark patterns.
- Limit adult-stranger contact with minors.
- Give users appeals, transparency, and control.
- Break platform lock-in.
More directly: regulate the thing actually harming children — the feed, the recommender system, the ad model, the dopamine loop, the AI companion product, and predatory contact structures — not the legal identity of every person who wants to speak, read, organize, research, dissent, or seek help online.
Back to top ↑