Policymakers don’t always get it right first time when it comes to technology. Why should they? They’re experts in politics and law-making, not in tech.
The first version of the contact-tracing app for Covid-19 cost over £11 million before it was scrapped, and was eventually replaced by an app using technology from Apple and Google.
It took two goes, and intervention from the National Cyber Security Centre (NCSC), to come to the conclusion that maybe it wasn’t such a good idea to have Chinese company Huawei quite so deeply embedded in the infrastructure of the UK’s 5G mobile phone network.
And, indeed, a £1bn investment plan for AI was scrapped in 2024 before it was decided that a scheme to unleash an AI master plan to make the UK a world leader was probably in the country’s best interests less than a year later.
And so could it be with the Online Safety Act 2023 (OSA) and its accompanying age verification process which came into being on July 25, 2025. Within a week, half a million people had signed a petition demanding the OSA’s repeal because the lawmakers, they say, have got it wrong. Although they haven’t. Not really.
The Online Safety Act is a blunt, badly designed, poorly implemented tool to prevent children from consuming content that their parents – and likely society at large – would rather they didn’t. But it is doing a job. It has, at least, put up a more serious barrier to adult websites than the previous ‘Are you over 18 – Yes, I am’ click-button system.
The trouble is the problem that its age-verification requirements create for everyone else – everyone who is over 18 and wishes to access whatever adult-deemed websites they were used to pre-July 25, 2025.
To do so now requires giving something of yourselves away – a more indelible virtual paper trail of evidence connecting the user to those sites and services, as well as the risks that come with handing over a copy of our identity to a series of third parties that we have to trust not to lose or abuse it.
For some people, this amounts to censorship. It simply isn’t worth the risk of looking at adult content if there’s any chance that content could be tied to them.
We’re advocates of online privacy at TechRadar – it’s one of the reasons we cover VPNs and other security software and stories in depth – and that makes it all the harder to swallow UK telecoms regulator Ofcom’s age verification process in its current form.
As it stands, we advise readers to avoid entering their details into age verification systems, or at least being judicious about which services they choose to share their information with.
But we are on the side of the spirit of the scheme, and with what the Online Safety Act aims to achieve. Instead of repealing it, we would like to see the UK Government and Ofcom improve its implementation rather than abandon what is, at heart, a right and good idea.
Why the Online Safety Act deserves to stay
As stated on gov.uk, the OSA aims to “prevent children from accessing harmful and age-inappropriate content”, and force platforms to be “more transparent about which kinds of potentially harmful content they allow”.
Around nine out of 10 children in the UK now have a mobile phone by the age of 11 according to Ofcom research. And one in five children aged between 8-17 have an adult profile on an online service. That’s potentially a huge number of under 18s with easy access to adult content in pre-OSA times.
Sure, plenty of responsibility lies with parents here, and the arrival of the OSA hasn’t changed that; but, until now, there’s been no help from the authorities at all.
Age verification has been something of a joke – the equivalent of a blindfolded bouncer asking people queuing to get into a nightclub if they’re old enough to get in and waiting for someone to say no.
Tech-savvy parents, or parents with plenty of time to do their research (do those exist?) can make a reasonable fist of ensuring that their children have limits and locks on their account but, realistically, the odds are stacked against them.
With information about how to circumvent all kinds of access barriers readily available online, and a peer group of fellow minors eager to help, plus a household of other devices that may not be as locked down as a child’s phone, a generation that’s guaranteed to be more tech savvy than its elders is going to win out. A little assistance for parents is not so much to ask.
Of course, it’s frustrating for adults who have the right to access all of these websites; but ID checks are commonplace in other areas of the online world, such as buying cryptocurrency, taking out credit cards and loans, or signing up to private medical insurance, and users feel secure enough to comply in these forums. Why not adult sites too?
UK implementation and data protection
The problem with the UK’s age verification system is its current implementation. Right now, there’s no centralized, government-led verification system. Instead, users are left putting their data in the hands of third parties, and there are dozens of them out there providing age verification services.
For example, Spotify uses Yoti. Bluesky users are verified by Kids Web Services (KWS) by Epic Games. TikTok has InCode, and X seems to use one of about five different services. You could end up having to leave your data in tens of third-party databases.
Each comes with its own set of risks according to their logging policies, data-retention plans, and security measures – and users are expected to just hand over their most sensitive identification, the details of the sites they’re visiting and, quite possibly, what they’ve looked at once they’ve got there.
A database like that makes a rich prize for cybercriminals looking to extort, expose, and profit. If the recent breaches of UK retailer Marks and Spencer and the Tea Dating Advice servers tell us anything, it’s that hackers will find a way if they’re motivated, and that even trusted household names are not using security measures that are stringent enough.
How, then, are we supposed to feel about giving information to a bunch of age verification agencies we’ve never heard of?
There needs to be a single, government-created and properly secure system that takes a leaf out of VPN company playbooks – ironic, given that it’s this very security software that’s being used to circumvent UK age verification checks in their current form.
Such a system needs a no-logs or zero-logs methodology so that the only data that could possibly be stolen is data from any live age verification sessions, with no historical information available whatsoever. It should have top-level security with AES-256-bit and post-quantum encryption to ensure that any small amount of data that might be stolen is indecipherable. And this should be a system that’s regularly audited and upgraded to ensure that it operates as promised.
VPN companies can do all this because they can charge subscription fees to pay for it. Is this something that the UK government is going to invest in? Probably not but that does leave space for a trusted service provider from the private sector to pick up the slack. An official license, and a dependable watchdog to do the auditing could easily make it financially agreeable for both parties.
Or perhaps we could take this one step further and develop a really cutting-edge age verification system that doesn’t require handing over any personal information at all.
Discord’s ‘Face Scan’ age verification tech, as supplied by k-ID, attempts to do just this with a fairly rudimentary, and sadly gameable, sweep of your face using your mobile phone’s front-facing camera. It’s similar to the approach of UK supermarkets, but with a machine instead of a store employee confirming that the customer is visibly over 18,
Currently, k-ID requires you to change facial expressions to make using a photograph difficult (but not impossible) – but combine it with a captcha, where the user has to say specific words written on the screen, and it would become very hard to circumvent. No personal information need be given or stored, except as necessary for more borderline cases.
Could this kind of tech even come from the adult sites themselves? After a huge spike in UK searches for ‘Pornhub’ in the days following July 25, search traffic has now dropped down to significantly below the previous base level, and it’s still falling.
In other words, there are fewer and fewer people visiting Pornhub than before. Some of this drop in traffic is likely down to underage would-be users who are now unable to verify their age, but a lot of it will be because over-18s either can’t be bothered going through the rigmarole of verifying their age, or are reluctant to share their personal information.
So it would seem in adult websites’ interests to create a system that engenders trust in order to coax their audience back.
The internet turned adult content companies into tech pioneers in online video and streaming. Could the global age verification checks make them the new thought leaders in online security and data privacy?
The EU solution – how it’s doing age verification better
The EU is testing out its own age verification system – and unlike the UK, it’s trying a single, white label app fronting a service where users provide their ID to prove that they’re over 18.
Each time someone wants to access a website with adult content, an issuer then contacts the centralized ID service, which confirms that they’re over 18 (or that they’re not), but without handing over any more information than that. That means there’s only one single and, hopefully, trustworthy data centre involved.
What’s more, each issuer proof can only be used once, so even if a criminal did intercept it, it would never have more information than that single site-access request. It wouldn’t hold a whole history of browsing data.
By comparison, then, the EU’s method seems a lot more sensible, and easy enough to adopt. It reduces the number of third parties holding sensitive data, and likely makes for a better user experience.
Even if that’s as far as the UK takes it, wouldn’t that be a better age verification system model to adopt?
The VPN problem
There are ways, then, of creating an age verification system that’s secure enough to be trusted – but can they be robust enough to do what they’ve been designed for in the first place? Will they stop minors from accessing adult content, or can they be circumvented?
In its current guise, getting around UK age verification has certainly been possible. Across the UK, gamers have used Death Stranding to create adult faces they can plug in to gain access, and streamers have used stills from their favorite TV shows. Most noticeably, though, many have flocked to VPN services.
VPN users can connect to servers worldwide, and make traffic appear to be coming from a country that it isn’t. When an adult website spots the UK IP address of someone looking to browse the website from the UK, it serves them the new age verification barrier. If, however, that UK visitor installs a VPN, they can connect to a server in another country first to make the adult website think they’re from a different nation where strict age verification isn’t required, and it will allow them to pass instead.
There are no age restrictions on downloading and using VPN apps for this purpose and, indeed, there are many free VPNs that do the job, if in a more limited way. That means children and adults alike can use them to get around any age checks without even having to pay.
As well as defeating the object of the Online Safety Act in one fell swoop, there’s a further risk, because there are thousands of VPNs available, and most of them are not safe to use.
The free VPNs are a particular problem. While some free VPNs, such as Proton VPN, PrivadoVPN Free, and Windscribe Free, are secure and offer no-logs policies you can trust, there are many that sell user data, or simply act to leave devices open to malicious attack. 2024 saw a massive surge in these kinds of dangerous free VPNs.
The UK government has said it has no plans to ban VPNs, so here it’s up to parents to make sure their children are blocked from downloading them.
What to do if you’re worried about your data
As it stands, we’d advise that people in the UK do not trust the current age verification systems where linking your browsing data to your ID feels too sensitive.
While the privacy and security credentials of the agencies involved are unknown, it doesn’t seem to be a risk worth taking.
If the sites and services you’re looking to access are places that advertise alcohol, or are mainstream social media sites, you may find it more acceptable to hand over some personal information.
But until that time, it’s a case of doing your own due diligence. Find out which age-verification third party a web service uses before you choose to use it, and decide for yourself based on its track record and its data-logging policies whether you feel it’s safe.
We look forward to Ofcom and the UK government taking a second look at age verification. Until that time, we’ll just have to accept the Online Safety Act as written.
Discover more from cplexmath tech stop
Subscribe to get the latest posts sent to your email.
Add Comment