The "Noble Cause" Fallacy: How Good Intentions Open the Door to Less Privacy and More Control
Every day brings fresh demands for age verification on the internet. The pitch is always the same: we must check everyone's age online to protect the children. Who could argue with that? Protecting kids feels like common sense. Recent examples like the US KOSA (Kids Online Safety Act), or the Social media ban in Australia feel like a good thing on the surface.
We see children (and adults) glued to screens everywhere. Parents worry about social media addiction. What starts as "just ten minutes of scrolling" turns into hours lost to doom scrolling. Then there are the real dangers: predators lurking on social platforms and gaming sites, trying to exploit kids and draw them into harmful situations.
Similar appeals appear in finance. We want to stop criminals from laundering dirty money or funding terrorism. That is why the Bank Secrecy Act of 1970 requires banks to report cash transactions over $10,000. Back then, that amount was a high threshold. Adjusted for inflation, $10,000 in 1970 equals roughly $80,000 to $85,000 today. Yet the reporting limit stays stuck at $10,000, even as recent proposals in Congress aim to raise it to $30,000 with future inflation adjustments.
Later rules built on it: Know Your Customer (KYC), anti-money laundering (AML), and counter-terrorism financing (CTF) measures. Now almost any financial activity demands ID, proof of income, and other personal details. After all, who opposes blocking criminals and terrorists from moving money freely?
The pattern repeats with calls for digital IDs and central bank digital currencies. Leaders promise a modern, convenient way to prove who we are and handle money more securely. It all sounds helpful and up-to-date.
These examples share one thing: each rests on a noble cause justification. Protect kids. Stop crime. Fight terrorism. Make life easier. Yet in practice, few deliver the promised results while handing governments far greater power to monitor and direct our lives. At the same time, they collect vast amounts of our personal data, leaving it exposed to hackers and misuse. What begins as "just this one safety measure" quietly erodes privacy for everyone.
Age Verification for Online Protection
The rallying cry is always "protect the children," yet mandatory age checks have delivered little real safety while creating serious new risks. Many systems rely on uploading IDs, selfies, and/or facial scans, which hand over sensitive personal data to private companies or platforms. Hackers love these centralized troves: breaches have already leaked millions of records, exposing kids and adults to identity theft, fraud, and harassment.
Even worse, determined teens routinely bypass these barriers using VPNs, fake documents, or unregulated sites, meaning the rules mostly inconvenience honest adults without meaningfully reducing kids' exposure to harmful content. Studies and real-world rollouts show these measures often create a false sense of security for parents while driving activity underground into less regulated spaces. In practice, they fail to curb addiction, predation, or inappropriate material at scale, yet they erode everyone's privacy and anonymity online.
Worse still, once everyone must identify themselves online, abusive governments gain easy tools to censor dissent. Consider the 1989 Tienanmen Square protests and massacre. While most people worldwide can read the full Wikipedia entry, it has been scrubbed from view in certain countries, leaving citizens unable to learn about an event the rest of the world witnessed live. Identity requirements make such suppression simpler and more thorough.
Recent cases show how these systems enable overreach even in democracies. In Germany, police launched an investigation against a pensioner who called Chancellor Friedrich Merz "Pinocchio" in a Facebook comment criticizing unfulfilled promises. The probe fell under laws against insulting politicians. Similar actions target everyday criticism on social media, turning vague "insult" rules into tools for chilling speech. What starts as child protection can slide into routine monitoring and punishment of opinions.
So while requiring ID to use the internet may feel like the right move to safeguard kids, it carries real dangers of abuse, censorship, and unintended harm to free expression.
Financial Reporting Under the Bank Secrecy Act and Related Rules (KYC/AML/CTF)
These laws aimed to stop money laundering, terrorist financing, and criminal cash flows by forcing banks to flag large transactions and suspicious activity. The original $10,000 USD threshold was meant to catch big fish without drowning the system in paperwork. Decades later, institutions file millions of reports annually, yet the impact remains tiny.
Let's be honest with the situation: the US dollar has lost approximately 87% to 88% of its purchasing power since 1970, based on official inflation data from the US Bureau of Labor Statistics. That means that $1 in 1970 is equivalent in purchasing power to about $8.16 today, so that $10,000 USD threshold is much more in reach today than when it was created.
Law enforcement uses these reports far more to build existing cases than to start new ones proactively. Only a small fraction lead to investigations, arrests, or convictions, with estimates showing the overall hit rate on criminal proceeds as low as 0.1% to 1%. Criminals adapt by structuring payments to avoid triggers ("smurfing"), using cash-heavy methods, or shifting to unregulated channels like cryptocurrencies or informal networks. Meanwhile, compliance costs run into tens of billions yearly, hitting smaller banks hardest and burdening everyday customers with endless ID demands and frozen accounts (debanking). The noble goal of choking off dirty money has mostly produced mountains of data with minimal disruption to serious crime.
With finance now mostly online, KYC demands scanned or photographed IDs stored indefinitely by verification providers, turning them into prime targets for hackers. A massive recent example: in February 2026, researchers discovered an unsecured database tied to IDMerit, an AI-powered identity verification firm, exposing roughly 1 billion sensitive personal records (out of over 3 billion total entries) across 26 countries. The leak included national IDs, full names, addresses, phone numbers, emails, and more; nearly a terabyte of data ripe for identity theft, fraud, and phishing. This follows patterns seen in earlier incidents like the 2024 National Public Data breach and even Discord's shift away from its prior verification partner after concerns over data practices and surveillance ties.
These systems, meant to secure finance, instead create honey pots for bad actors while doing little to stop scams like "pig butchering" operations that exploit stolen identities anyway.
Digital IDs and Central Bank Digital Currencies
Proposals for digital IDs and CBDCs promise streamlined identity checks and safer, faster payments. And maybe, just maybe, even easier interactions with the government and banks. In theory, they modernize outdated systems and reduce fraud. In reality, they concentrate vast personal and transaction data in government or central bank hands, creating irresistible targets for hackers and single points of failure. Worse yet, they don't replace any of the current required paper documents.
Privacy evaporates when every purchase or transfer leaves a traceable trail. Critics warn of built-in surveillance potential, where authorities could monitor, restrict, or freeze access based on behavior, politics, or compliance. Real-world digital ID experiments have suffered massive breaches, exclusion of vulnerable groups, and misuse for tracking. CBDCs raise similar fears: without strong anonymity safeguards, they risk turning routine finances into a government ledger. Few pilots or proposals have shown they outperform existing payment systems in curbing crime or fraud while preserving freedom. Instead, they often amplify control and exposure without delivering promised security gains.
Finally, they leave little room for a backup when networks go down. A recent example is when a major internet outage occurred in Spain on April 28, 2025, caused by a historic power blackout across the Iberian Peninsula that affected both Spain and Portugal. No power or internet? Well...that's a problem.
The Appearance of Taking Action
In each case, the pattern holds: a worthy cause justifies expanded data collection and oversight. Results fall short of the hype, harms to privacy and liberty pile up, and governments gain tools that outlast any temporary crisis. What starts as protection quietly becomes routine surveillance. As Milton Friedman famously said, "Nothing is so permanent as a temporary government program."
Every time, the noble cause is presented in isolation, without weighing past history, related efforts, risks of future abuse, or solid evidence that the measure works or will work. Instead, it creates the appearance of decisive action, of boldly taking a stand.
Without meaningful follow-up or proof of effectiveness, these programs expand unchecked. The BSA's $10,000 threshold has never been adjusted for inflation despite decades of erosion in value. Pig-butchering scams still thrive using stolen IDs to open accounts. KYC databases remain hot targets for criminals. Officials rarely explain how these measures truly succeed; they just call for more of them.
Don't fall victim to the noble cause fallacy. Don't accept recommendations at face value. Stay skeptical. Ask your elected representatives hard questions about the real effectiveness of existing rules. They work for us: they should prove these measures protect us rather than just control us.
Remember: we may not have anything to hide, but everything to protect.
