Restrictions must balance rights to information with need to protect vulnerable groups: Academic
PETALING JAYA: Experts are divided on the feasibility and impact of Malaysia’s plan to restrict social media access for users aged under 16, warning that legal, cybersecurity and behavioural challenges must be addressed before any enforcement model is finalised.
Universiti Kebangsaan Malaysia legal scholar Prof Emeritus Datuk Noor Aziah Mohd Awal said Malaysia has sufficient legislative groundwork to regulate children’s online safety, but effective enforcement remains the biggest test.
She said the upcoming Online Safety Act 2025 is “a very good law” for controlling and monitoring children’s online activitiy, including imposing age limits on social media platforms.
“Parents must play an important role in making sure their children do not register or even open an account with any of these platforms by using false names or providing an inaccurate age.
“Platform providers must also be responsible. They must ensure they check who opens an account, who they are and what they are doing.
“This is important because the law by itself is not going to be enough to provide protection to children online.
“Restrictions must also balance children’s rights to information with the need to protect vulnerable groups.”
Meanwhile, Universiti Malaya cybersecurity expert Prof Ainuddin Wahid Abdul Wahab said the electronic Know-Your-Customer (eKYC) protocol could improve safety and reduce scams, but only if platforms adopt strict privacy safeguards to prevent misuse or large-scale data breaches.
“eKYC could be safe and useful, but only with strict privacy rules. It is like showing a MyKad to enter a stadium, but the organiser must guard the entry carefully.
“A balanced alternative is age-only proof, in which a trusted checker confirms you are over 13 or 18 years old without sharing your full identity.
“Some European Union/United Kingdom models use third-party age tokens (independent services verifying age without ID), so platforms do not keep IC scans, which is more secure and produces less data to steal,” he said, adding that platforms implementing eKYC must be prepared for heightened risks.
“The risks include breaches and misuses. Over time, a breach is possible because large platforms are frequently targeted,” he said, adding that eKYC raises the value of stolen data.
“It is like upgrading from a key to a fingerprint lock. It is more secure, but if fingerprints are leaked, it is hard to change.
“Global breaches show that even strong firms can get hacked. Malaysia should require data minimisation, regular audits and prompt breach notices to users.”
Ainuddin Wahid said social media platforms are capable of protecting user data but are structurally vulnerable due to large internal access points and third-party systems.
“Platforms invest in security and experts, so they can protect data. However, they are designed to collect and share data at scale for ads, across multiple apps and vendors, which increases the risk.
“Think of an airport. It has strong security, yet with so many doors and workers, there are more chances for mistakes.
“Even with encryption, numerous internal access points and third-party tools could become weak links unless closely monitored and regularly reviewed.”
He said linking identity to online behaviour increases the impact of future breaches.
“A normal breach leaks usernames. An eKYC breach could leak IC numbers or biometrics linked to real activity. That is why we need strict limits and deletion policies.”
On Wednesday, an English portal reported that the government plans to require social media platforms to implement eKYC verification using MyKad, passports or MyDigital ID by mid-2026.
Communications Minister Datuk Fahmi Fadzil said platforms may be instructed to freeze accounts belonging to users until they reach the age of 16, as part of a broader effort to tighten online identity verification.
