'A disaster waiting to happen' — Cybersecurity experts react to UK age verification law

Tom's Guide

11 hours ago

It's been almost a week since the Online Safety Act became law in the U.K. The legislation aims to protect children and vulnerable internet users online and prevent them from seeing content deemed as "explicit material."
The law is well-intentioned but has led to some heated debates, with questions being raised surrounding the impact on our online privacy.
Age verification checks are required in order to access certain websites. Submitting photo ID, having your credit card checked or AI scanning your face are some of the ways your age can be verified.
People are understandably cautious about handing over this sensitive personal data to third parties. As a result, many have been turning to the best VPNs in an attempt to bypass these checks.
But how have cybersecurity experts reacted to the age verification law? There is widespread agreement that under-18s need to be protected online. But experts see the law as an online privacy nightmare, full of cybersecurity risks.
Tom's Guide has spoken to a number of industry figures to hear their thoughts.
NordVPN – our top pick for private browsingAfter testing and reviewing dozens of VPNs, NordVPN came out on top. It's a well-balanced package with great speeds, servers in 126 countries, and excellent privacy credentials. It's also very effective at accessing geo-blocked content on sites like Netflix.
One subscription covers 10 devices, and plans start at a reasonable £2.31 / $2.91 per month (£64.56 / $81.36 plus tax up front for 28 months). There's a 30-day refund period in case you don't like it.
The main concern experts have is the danger, and potential fallout, of a data breach. A majority of the information people need to submit is highly sensitive and could be easily exploited by hackers should a data breach occur.
Windscribe VPN CEO and co-founder, Yegor Sak, described the law as "a disaster waiting to happen."
He said requiring people to submit biometric information and IDs to browse the internet is "absurd" and "dangerous."
"It creates centralized databases full of sensitive info, which inevitably get breached or abused," Yak said, and cited the recent Tea app data breach as an example.
This law is a ticking time-bomb for the privacy of UK citizens
Sak added that "policymakers are, once again, trying to fix complex social issues with crude technical mandates. The result is a surveillance framework that punishes everyone in the name of 'protecting' the few."
Obscura VPN founder Carl Dong said the collection of sensitive personal data makes people "high-value targets for ransomware criminals."
"This law is a ticking time-bomb for the privacy of UK citizens – the question isn't if a site gets breached, but when," he warned.
VPN usage in the UK has surged dramatically in the days following the Online Safety Act's introduction.
Leading provider Proton VPN saw sign-ups increase by 1,400% over its baseline. Monitoring by top10vpn.com recorded overall VPN demand peaking at 1,987% on July 27.
According to Google Trends, the search terms "VPN," "UK VPN" and "free VPN" have all increased. NordVPN, Proton VPN, ExpressVPN, Surfshark and Mullvad VPN are just some of the VPN providers that have seen search increases.
VPN apps have risen to the top of the free app charts on the U.K. Apple App Store. Proton VPN, NordVPN, Surfshark and Opera VPN are reputable providers that have seen a rise.
However, suspect VPNs have risen, too. VPN Super Unlimited Proxy, Free VPN by FreeVPN.org and Free VPN: Unlimited VPN Proxy are apps we'd recommend avoiding.
Certain free VPNs collect high amounts of usage data and rely on in-app ads to make their money. If you're after a free VPN, take a pick from our guide on the best free VPNs.
The brains behind the law, OFCOM, has discouraged VPN use to avoid age verification checks, but privacy experts see no alternative.
A Proton VPN spokesperson said, "the majority of the proposed [age verification] methods outlined by OFCOM pose significant risks to user privacy and security."
"While some approaches might seem convenient on the surface, many come with substantial trade-offs regarding user trust and long-term security."
Almost all the experts we spoke to stressed the importance of protecting vulnerable internet users. But the act in its current form poses too great a risk.
VPN provider IPVanish believed that more effective and less harmful options should be explored.
"IPVanish supports efforts to protect children from harmful content online, but the UK's age verification law poses serious risks to privacy, security, and digital rights," the company said.
"More secure and less intrusive alternatives exist, including anonymous age tokens and device-level parental controls. These solutions have not been fully explored."
IPVanish also said this policy "threatens vulnerable users." It commented that "people in restrictive environments or exploring sensitive topics could face real-world harm if their activity is exposed."
Some people – such as those living under internet censorship – cannot afford to have their information leaked. Although this isn't the case in the U.K., it reinforces the risk faced by numerous internet users.
"Privacy is a fundamental right, not something to be traded for access," IPVanish continued. "The UK's current approach sets a troubling precedent and fails to strike a balance between safety and individual freedom."
Denis Vyazovoy, Chief Product Officer at AdGuard VPN said he fully supports "a safer internet for everyone, especially for children, but it's important to remember that privacy and freedom of access matter, too."
Vyazovoy argued that "people just want to protect their privacy," and he believed uploading sensitive documents to be checked was "simply too much for many." However, he hoped "the UK authorities will be able to find the right balance."
One expert we spoke to believed a lack of trust was fuelling attempts to bypass age verification checks.
Lauren Hendry Parsons, Director of Communications at the Mozilla Foundation, said, "the explosion of VPN downloads following the enactment of the Online Safety Act is not surprising."
"What this reflects is that people want continued access to the platforms, content, and communities they care about — and they'll find workarounds when those are disrupted," Hendry Parsons said.
Her view is that "people are voicing legitimate concerns about the requirement to share sensitive data." These concerns are raised when "systems are perceived as intrusive or opaque — or where data collection may not be properly handled."
"We support protecting minors online, but firmly oppose age verification systems that compromise user privacy."
"The root issue here is trust. People turn to workarounds when tools are hard to use, lack clarity, or feel risky," she added.
Hendry Parsons called for improved public education and greater transparency around age verification systems, describing it as a "pressing need." She continued by saying, "safety online shouldn't come at the expense of autonomy and privacy — and when trust is low, people will take matters into their own hands."
Like IPVanish, Hendry Parsons cited the need for more effective and privacy-focused age verification checks.
"I'd push for privacy-preserving, decentralised approaches, like device-based enforcement and anonymous credentials that don't expose personal data or enable surveillance," she said.
It's the view of one expert that we could be seeing the "new normal," and he suggested we may have to accept "some compromise of our privacy."
Dr Ilia Kolochenko, CEO of security company ImmuniWeb, accepted that there is disagreement over the law's effectiveness. However, he said, "we probably need to accept it as a new reality that will likely become the 'new normal' in many countries pretty soon."
"There is a compelling interest to protect our children from harmful content," Dr Kolochenko said. He continued by saying, "it is true that protection of minors will probably require some compromise of our privacy — if properly implemented."
Proper implementation would mean securely handling sensitive information, minimal to no sharing and deleting it once age verification checks are passed. If this is done, Dr Kolochenko believed "the mandatory age-verification mechanism may hold water," but other experts are not so sure.
Dr Kolochenko addressed the VPN loophole we have seen many Brits taking advantage of, and hypothesized VPN traffic being targeted in the near future.
"We will probably see additional legislation pretty soon that will require adult-oriented websites to ban VPN traffic," he said.
"Certainly, some VPNs will remain undetected. However, about 90% of most popular free and commercial VPN services can be fingerprinted and will likely be blocked by adult-content providers, closing the loophole."
We are yet to see any indication of this or even an outright VPN ban in the U.K. This would be incredibly dangerous and amount to internet censorship. In countries where internet censorship is rampant, VPN providers have to turn to obfuscation.
VPN obfuscation is where VPN traffic is disguised, appearing as regular internet traffic. Many leading VPN providers either obfuscate their traffic by default or have dedicated obfuscated VPN protocols.
Mullvad VPN is one of the most private VPNs, and its CEO Jan Jonsson said the discussion around the law "raises important questions."
He said, "identification should be issued by the state," and it was the role of the government to provide this. "It should be possible for third parties — like websites or service providers — to verify age from such an ID, without needing to know your full identity or store your personal data."
"Just as a bartender glances at your ID to confirm you're over 18 and then forgets who you are, digital systems should offer that same minimal and privacy-respecting interaction."
I would encourage a broader reflection on the underlying issues. Not just age verification itself, but how we balance safety, privacy and freedom online.
"Unfortunately, governments too often lean on private tech companies to build surveillance-based systems in the name of safety," Jonsson said.
"Outsourcing identity control and age checks to commercial actors creates serious risks — for privacy, for data security and for civil liberties. There are better, more rights-preserving ways to approach this."
The type of age verification checks varies between websites, companies, and third-party providers. Some claim to be more private and secure than others, but regardless of who is collecting our data, and how or where it's being stored, the fundamental issue is that it's being collected in the first place.
Users have no control over which third-party age checking service a site uses and don't always know what happens to their data once it's handed over.
AgeGO is an age-check service that is being discussed, and Tom's Guide investigated whether it's safe to use.
Jonsson wanted to see a wider discussion on the underlying issues should age verification turn out to be ineffective.
"I would encourage a broader reflection on the underlying issues. Not just age verification itself, but how we balance safety, privacy, and freedom online," he said.
"That conversation needs to involve more than just technical solutions and enforcement measures. Else current and future regulation will cause more harm than good."
"VPN services like Mullvad exist to protect fundamental rights, especially the right to privacy, the right to freedom of expression, and the right to access information. These are rights that are increasingly under pressure in the digital age," Jonsson concluded.
At the time of writing, 450,000 people have signed a petition calling for the repeal of the Online Safety Act. The U.K. government has said it's not going to do this, and certainly not in the first week.
But clearly, there is a strong opinion from all sides on this topic and serious privacy concerns. A majority of experts believe the implementation of the act is wrong, and it poses great risks for the personal data of U.K. internet users.
Until these privacy risks have been effectively addressed, people will continue to avoid age verification checks. Doubling down on measures and exploring forms of VPN bans would only create more problems and set a dangerous precedent for internet privacy.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.