The dialog across the UK’s On-line Security Act has reworked over the previous week. Because it got here into pressure final Friday (twenty fifth July 2025), there was a whole lot of public outcry, together with a petition, which was signed by over 400,000 folks, calling for The Act to be scrapped altogether. The UK authorities has since rejected this concept, with no signal of backing down. In parallel, customers have scrambled to search out work arounds. VPN utilization spiked within the UK, with sign-ups to at least one service surging by greater than 1400%. Many are additionally calling into query the safety of the organisations and third-parties which are required to retailer such delicate information too. Surprisingly, websites (not essentially seen as ‘grownup’) like Spotify are additionally asking for customers to add their ID too, which has left folks asking the place does it finish?!
It is a story with many shifting components and issues have snowballed over the previous week. One might give attention to (non-exhaustively) VPNs, the software program provide chain safety aspect of third-party ID verification websites or the concept behind its conception (little one security) and nonetheless not scratch the floor. As an alternative, The Gurus requested cybersecurity consultants from throughout the business to weigh in…
Brian Higgins, Safety Specialist at Comparitech, on VPNs:
“One of many extra alarming rising developments is the just about speedy mission creep of this laws. The VPN challenge was all the time going to deflate the effectiveness of any age verification measures, in actual fact it’s slightly worrying that these accountable appear fairly so stunned by this improvement. However because of the wide-ranging wording of the content material doubtlessly lined by the Invoice, legislative compliance is impacting platforms and customers in much more draconian vogue than could also be deemed affordable. Spotify is one service which has dismayed customers by requiring AV and a distinguished UK actor just lately discovered he might now not entry footage of his personal youngsters when posted on Social Media by their mom.
Many extra examples of the swingeing attain of this Invoice will undoubtedly proceed to come up so it’s no marvel folks will search for work-arounds. Are Ofcom going to arrest everybody who makes use of a faux AI Drivers License to spoof their manner on to Fb or will they be too busy getting sued by the U.S. State Division. Solely time will inform.”
Graeme Stewart, head of public sector at Examine Level, on a possible VPN ban:
“The thought of banning VPNs places the UK within the firm of China, Russia, and Iran. That ought to inform you every thing. The Authorities’s try to manage on-line hurt has backfired spectacularly. In attempting to cease youngsters seeing dangerous content material, they’ve pushed tens – perhaps tons of – of 1000’s of individuals to undertake instruments that make lawful interception near-impossible.
Worse nonetheless, they’ve outsourced enforcement to unaccountable third events, counting on fragmented databases that supply no assure of safety, legitimacy, or transparency. Proof is already rising of pretend Google and ChatGPT-generated IDs being accepted. This isn’t enforcement – it’s change into a little bit of theatre.
Simply have a look at the Tea App debacle – a dwell instance of what occurs when poor verification meets unhealthy actors.
From a cybersecurity perspective, that is last-century considering. And right here’s the kicker: by utilizing a VPN to guard your self, you now danger being flagged as an individual of curiosity.
You may’t declare to guard privateness whereas handing folks’s most delicate information to unregulated distributors.
Persons are turning to VPNs as a result of they don’t belief the system – and who can blame them? These are the identical instruments defending journalists, whistleblowers, and residents from surveillance and abuse. Banning VPNs doesn’t repair the issue – it simply punishes the general public for not blindly trusting a system that retains failing them.”
Lucy Finlay, Director, Safe Behaviour and Analytics at Redflags, on importing IDs:
“The necessities for sure web sites to confirm age by importing a dwell selfie or a duplicate of an ID opens an entire new avenue of assault for cyber criminals and privateness questions for coverage makers. Firstly, it invitations establishing malicious prompts for ID verification on compromised web sites, funnelling delicate information away from unsuspecting customers, who’re being conditioned to not query making a gift of their ID. That is an instance of “sludge”, the place a nudge is getting used as a friction or barrier to accessing what you need, so persons are instinctively acquiescing to this request slightly than query its legitimacy. Besides it’s no longer simply urgent “settle for all” on annoying cookie pop-ups… it’s making a gift of your ID or facial information. Secondly, it creates information regulation and privateness complications, as overseas corporations are engaged to hold out the verification service for the web sites. Lastly, these corporations are prone to be topic to elevated scrutiny from unhealthy actors wishing to get their arms on a goldmine of IDs and kompromat-worthy materials related to the “delicate” materials they’re viewing. Do these dangers outweigh the advantages gained, given these verification checks can at present be bypassed by a easy VPN?”
Mayur Upadhyaya, CEO at APIContext, on going chilly turkey:
“It’s extremely tough to place the genie again within the bottle. These platforms have been accessible for therefore lengthy that viewing them has change into a deeply embedded behavior for a lot of younger folks. Going chilly turkey in a single day received’t work, particularly if the one different is technical enforcement. We’re already seeing a surge in free VPN use, which carries severe dangers like malware, trackers, and compromised information. Extra regarding is the cultural divide this creates. When youngsters really feel they’ve to cover their on-line conduct, it shuts down the open dialogue mother and father must have. The intent behind the On-line Security Act is properly that means, however actual change requires training, safer alternate options, and belief, not simply technical restrictions.”
Chris Hauk, Shopper Privateness Advocate at Pixel Privateness, on the dangers of an org that retailer IDs being focused by hackers:
“Whereas I applaud any motion taken to guard minors whereas they’re on-line, offering your private information, together with their Authorities IDs, to web sites, significantly grownup web sites, is a bridge too far. Many grownup web sites are run by unsavoury people and teams, and turning over a picture of an ID card might permit these felony sorts to carry out felony actions utilizing that info.
Whereas VPNs are a wonderful strategy to keep away from these ID necessities by connecting to a different metropolis or nation the place ID will not be but required, there are rumblings that governments will quickly take into account banning the usage of VPNs to take action. That is one other step towards better authorities management of the web, and the flexibility to limit what we are able to see on the web.”
Even when an internet site that requires authorities ID to login is on the up and up, the data could possibly be uncovered in an information breach, that means a consumer’s on-line actions could possibly be uncovered to their buddies, households, and employers. This occurred years in the past within the 2015 Ashley Madison information breach, when clients of the extramarital “courting website” noticed greater than 60GB of consumer information be launched.”
Anne Cutler, Cybersecurity Professional at Keeper Safety, on a greater strategy to defend the youngsters:
“The On-line Security Act introduces advanced security obligations for digital platforms, together with age verification, content material moderation and information assortment necessities aimed toward defending youngsters. However in fulfilling these obligations, platforms are being requested to gather and retailer extremely delicate private information, elevating pressing questions round how securely this info is being managed – and whether or not the infrastructure behind these platforms is as much as the duty.
Content material moderation, like that spelled out within the On-line Security Act, wants a security-first technique to underpin these security measures. This technique must be laser-focused on stopping unauthorised entry, and safeguarding towards inner threats, third-party distributors and cybercriminals. As platforms transfer to satisfy their regulatory tasks and start amassing the required information, it’s important to determine and handle the safety infrastructure that helps them. Safety have to be built-in from the bottom up – by strong entry controls, privileged consumer administration, encryption and breach detection.
Constructing long-term digital resilience additionally means investing in each security and safety training – not only for youngsters, however for the adults who construct, handle and safe these programs. Many youngsters – and the adults round them – merely aren’t conscious of how susceptible their accounts and information are, or the best way to successfully defend them. Keeper’s Flex Your Cyber initiative, in collaboration with respected cybersecurity companions (Nationwide Cybersecurity Alliance, KnowBe4 and CYBER.org) was created to shut the data hole in cybersecurity consciousness, whereas additionally pushing for enterprise-grade safety requirements within the classroom and past. However training alone can not carry the load of regulatory compliance. Platform suppliers should prioritise security-by-design rules from day one, embedding entry controls and monitoring programs that guarantee consumer safety is all the time energetic, not simply passive.
Such an strategy is very important in a world the place threats concentrating on youngsters have gotten tougher to detect. Youngsters are partaking not simply with tough content material, however with more and more advanced, AI-driven digital experiences. These interactions can expose them to new types of hurt – from hacked accounts and impersonation to emotionally manipulative chatbots. With out correct entry controls, information encryption and breach monitoring, child-facing platforms – and the info they include – stay gentle targets for malicious actors.”
Word: It is a creating story.
