Skip to content
Naked Security Naked Security

Instagram trying to protect kids by getting dates of birth from new users

It's about showing age-appropriate content, it said. Though staying safe from child-privacy lawsuits doesn't hurt, either.

No pretty Instagram pics for you, young ones who haven’t already got an account: the platform has started asking what your birthday is in order to keep underage users from signing up.

On Wednesday, Instagram said that starting that same day, it would be collecting dates of birth for new users.

It’s not hitting up current users for their dates of birth, and it’s not planning to display users’ ages. It’s just out to “keep young people safer and enable more age-appropriate experiences overall,” Instagram said.

Up until now, Instagram has only required new users to say that they’re at least 13 years old. In coming months, it will use the newly acquired, far more precise birthdays (whether truthful dates or not) to tailor users’ experiences around things such as account controls and recommended privacy settings for young people.

Reuters suggested that it’s at least partly about advertising: about expanding the audience of users who see age-restricted products, such as booze, gambling and birth control, while offering new safety measures for underage users.

But Instagram said that new advertising opportunities aren’t the driving force behind the new birthday request.

As Reuters pointed out, getting more granular in its age requirements is one way for Instagram to at least try to avoid the potentially costly wrath of child privacy lawsuits.

The video-sharing app TikTok is one example of a company that’s repeatedly been stung over child privacy missteps: in February 2019, the US hit TikTok with the biggest-ever fine for violating the Children’s Online Privacy Protection Act (COPPA), which is the nation’s strictest child privacy law.

In July, the UK launched an investigation to see if the same child-privacy issues constitute a violation of the General Data Protection Regulation (GDPR). And just this week, parents filed a class action lawsuit against TikTok.

Instagram’s head of product, Vishal Shah, told Reuters that the new birthday requirement is just the latest in its evolution away from its longstanding principles, such as anonymity:

Understanding how old people are is quite important to the work we’re doing, not only to create age-appropriate experiences but to live up to our longstanding rule to not allow access to young people.

And you plan to verify age how…?

Instagram’s parent, Facebook, has a long history of failing to keep kids from signing up for accounts. According to a 2014 study of 442 US children aged 8 to 12, one-fourth of them said that they were using Facebook, in spite of the platform’s rule that says you have to be at least 13 in order to open an account.

The problem isn’t a lack of rules about what ages can sign up for social media. The problem is verifying that kids aren’t lying about their age or haven’t gotten their parents to sign them up, be it on Facebook or Instagram.

Back in 2011, one parent, Marc Smerling, from Brooklyn, NY, had this to say about Facebook’s limp attempts to keep underage kids from signing up (after all, all the platform does is state the age limit in its terms of service):

It’s unenforceable. It’s like having a big bowl of candy and not letting them have any. The internet is everywhere around us. You can’t get away from it.

You just have to have a long conversation about the rules.

The UK’s National Society for the Prevention of Cruelty to Children (NSPCC) agreed. In response to Instagram’s announcement, it said that unverifiable dates of birth “will do nothing” to stop kids from seeing “harmful or age-inappropriate content.”

But new regulations will take of that, the NSPCC said:

Forthcoming regulation will force platforms to go further and will require them to take steps to proactively apply additional protections to children’s accounts by default.

But first and foremost the emphasis has to be on ensuring that platforms are safe in the first place for children to use.


Like having a big bowl of candy and saying, “The dentist said we aren’t allowed to give you any of this, so don’t take any, even though we make money if you do take some, older kids are allowed to take as much as they want, and we won’t be checking to make sure you didn’t take any.”


Imagine a pub or liquor store just asking people when they come in “are you of age”? And then “tightening up the rules” – a la Instagram – by simply asking them their birthdate. Gee, how long do you think they would retain their license?


“And you plan to verify age how…?”
What could possibly go wrong? Collecting another bit of PII from you?
With information already available, giving out your Date of Birth (DoB) can actually let an unscrupulous hacker get even more information about you.
For instance police in North America have long used the DoB in conjunction with a name to detect possible previous criminal activity. This information is often broadcast over open police radio frequencies.
Of course this is of no consequence to all of us unless someone named John Q. Public has the same same DoB as a suspect with the same name. In a large city, New York, Los Angeles this can be a great concern for mistaken identity by law enforcement simply trying to do their jobs and the mistaken John Q. Public who’s now been mistakenly arrested.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!