The dialog across the UK’s On-line Security Act has remodeled over the previous week. Because it got here into drive final Friday (twenty fifth July 2025), there was lots of public outcry, together with a petition, which was signed by over 400,000 individuals, calling for The Act to be scrapped altogether. The UK authorities has since rejected this concept, with no signal of backing down. In parallel, shoppers have scrambled to seek out work arounds. VPN utilization spiked within the UK, with sign-ups to 1 service surging by greater than 1400%. Many are additionally calling into query the safety of the organisations and third-parties which might be required to retailer such delicate information too. Surprisingly, websites (not essentially seen as ‘grownup’) like Spotify are additionally asking for customers to add their ID too, which has left individuals asking the place does it finish?!
It is a story with many shifting elements and issues have snowballed over the previous week. One might deal with (non-exhaustively) VPNs, the software program provide chain safety component of third-party ID verification websites or the concept behind its conception (little one security) and nonetheless not scratch the floor. As a substitute, The Gurus requested cybersecurity consultants from throughout the business to weigh in…
Brian Higgins, Safety Specialist at Comparitech, on VPNs:
“One of many extra alarming rising traits is the virtually fast mission creep of this laws. The VPN subject was at all times going to deflate the effectiveness of any age verification measures, actually it’s moderately worrying that these accountable appear fairly so shocked by this improvement. However as a result of wide-ranging wording of the content material doubtlessly lined by the Invoice, legislative compliance is impacting platforms and customers in much more draconian vogue than could also be deemed affordable. Spotify is one service which has dismayed customers by requiring AV and a distinguished UK actor lately discovered he might not entry photos of his personal youngsters when posted on Social Media by their mom.
Many extra examples of the swingeing attain of this Invoice will undoubtedly proceed to come up so it’s no marvel individuals will search for work-arounds. Are Ofcom going to arrest everybody who makes use of a faux AI Drivers License to spoof their method on to Fb or will they be too busy getting sued by the U.S. State Division. Solely time will inform.”
Graeme Stewart, head of public sector at Test Level, on a possible VPN ban:
“The thought of banning VPNs places the UK within the firm of China, Russia, and Iran. That ought to let you know every part. The Authorities’s try to manage on-line hurt has backfired spectacularly. In making an attempt to cease youngsters seeing dangerous content material, they’ve pushed tens – possibly a whole lot – of hundreds of individuals to undertake instruments that make lawful interception near-impossible.
Worse nonetheless, they’ve outsourced enforcement to unaccountable third events, counting on fragmented databases that supply no assure of safety, legitimacy, or transparency. Proof is already rising of pretend Google and ChatGPT-generated IDs being accepted. This isn’t enforcement – it’s grow to be a little bit of theatre.
Simply have a look at the Tea App debacle – a dwell instance of what occurs when poor verification meets unhealthy actors.
From a cybersecurity perspective, that is last-century pondering. And right here’s the kicker: through the use of a VPN to guard your self, you now threat being flagged as an individual of curiosity.
You may’t declare to guard privateness whereas handing individuals’s most delicate information to unregulated distributors.
Persons are turning to VPNs as a result of they don’t belief the system – and who can blame them? These are the identical instruments defending journalists, whistleblowers, and residents from surveillance and abuse. Banning VPNs doesn’t repair the issue – it simply punishes the general public for not blindly trusting a system that retains failing them.”
Lucy Finlay, Director, Safe Behaviour and Analytics at Redflags, on importing IDs:
“The necessities for sure web sites to confirm age by importing a dwell selfie or a replica of an ID opens an entire new avenue of assault for cyber criminals and privateness questions for coverage makers. Firstly, it invitations organising malicious prompts for ID verification on compromised web sites, funnelling delicate information away from unsuspecting customers, who’re being conditioned to not query making a gift of their ID. That is an instance of “sludge”, the place a nudge is getting used as a friction or barrier to accessing what you need, so persons are instinctively acquiescing to this request moderately than query its legitimacy. Besides it’s not simply urgent “settle for all” on annoying cookie pop-ups… it’s making a gift of your ID or facial information. Secondly, it creates information regulation and privateness complications, as overseas corporations are engaged to hold out the verification service for the web sites. Lastly, these corporations are prone to be topic to elevated scrutiny from unhealthy actors wishing to get their arms on a goldmine of IDs and kompromat-worthy materials related to the “delicate” materials they’re viewing. Do these dangers outweigh the advantages gained, given these verification checks can presently be bypassed by a easy VPN?”
Mayur Upadhyaya, CEO at APIContext, on going chilly turkey:
“It’s extremely troublesome to place the genie again within the bottle. These platforms have been accessible for thus lengthy that viewing them has grow to be a deeply embedded behavior for a lot of younger individuals. Going chilly turkey in a single day gained’t work, particularly if the one various is technical enforcement. We’re already seeing a surge in free VPN use, which carries critical dangers like malware, trackers, and compromised information. Extra regarding is the cultural divide this creates. When youngsters really feel they’ve to cover their on-line habits, it shuts down the open dialogue dad and mom have to have. The intent behind the On-line Security Act is effectively that means, however actual change requires schooling, safer options, and belief, not simply technical restrictions.”
Chris Hauk, Shopper Privateness Advocate at Pixel Privateness, on the dangers of an org that retailer IDs being focused by hackers:
“Whereas I applaud any motion taken to guard minors whereas they’re on-line, offering your private information, together with their Authorities IDs, to web sites, significantly grownup web sites, is a bridge too far. Many grownup web sites are run by unsavoury people and teams, and turning over a picture of an ID card might permit these felony varieties to carry out felony actions utilizing that info.
Whereas VPNs are a wonderful technique to keep away from these ID necessities by connecting to a different metropolis or nation the place ID shouldn’t be but required, there are rumblings that governments will quickly contemplate banning using VPNs to take action. That is one other step towards higher authorities management of the web, and the flexibility to limit what we are able to see on the web.”
Even when a web site that requires authorities ID to login is on the up and up, the data might be uncovered in a knowledge breach, that means a person’s on-line actions might be uncovered to their associates, households, and employers. This occurred years in the past within the 2015 Ashley Madison information breach, when clients of the extramarital “relationship website” noticed greater than 60GB of person information be launched.”
Anne Cutler, Cybersecurity Skilled at Keeper Safety, on a greater technique to defend the youngsters:
“The On-line Security Act introduces complicated security obligations for digital platforms, together with age verification, content material moderation and information assortment necessities geared toward defending youngsters. However in fulfilling these obligations, platforms are being requested to gather and retailer extremely delicate private information, elevating pressing questions round how securely this info is being managed – and whether or not the infrastructure behind these platforms is as much as the duty.
Content material moderation, like that spelled out within the On-line Security Act, wants a security-first technique to underpin these security measures. This technique ought to be laser-focused on stopping unauthorised entry, and safeguarding towards inner threats, third-party distributors and cybercriminals. As platforms transfer to fulfill their regulatory tasks and start amassing the mandatory information, it’s crucial to determine and deal with the safety infrastructure that helps them. Safety should be built-in from the bottom up – by means of strong entry controls, privileged person administration, encryption and breach detection.
Constructing long-term digital resilience additionally means investing in each security and safety schooling – not only for youngsters, however for the adults who construct, handle and safe these methods. Many youngsters – and the adults round them – merely aren’t conscious of how susceptible their accounts and information are, or successfully defend them. Keeper’s Flex Your Cyber initiative, in collaboration with respected cybersecurity companions (Nationwide Cybersecurity Alliance, KnowBe4 and CYBER.org) was created to shut the data hole in cybersecurity consciousness, whereas additionally pushing for enterprise-grade safety requirements within the classroom and past. However schooling alone can’t carry the burden of regulatory compliance. Platform suppliers should prioritise security-by-design rules from day one, embedding entry controls and monitoring methods that guarantee person safety is at all times lively, not simply passive.
Such an strategy is particularly crucial in a world the place threats focusing on youngsters have gotten more durable to detect. Kids are partaking not simply with troublesome content material, however with more and more complicated, AI-driven digital experiences. These interactions can expose them to new types of hurt – from hacked accounts and impersonation to emotionally manipulative chatbots. With out correct entry controls, information encryption and breach monitoring, child-facing platforms – and the info they comprise – stay smooth targets for malicious actors.”
Observe: It is a creating story.
