Concerning News
I’m very concerned about the current implementation of the UK’s Online Safety Act and the emerging digital identity framework, particularly in relation to child protection, fairness, civil liberties, and recent proposals relating to VPN restrictions.
While I fully support the goal of making the internet safer for young people, I’m increasingly worried that the direction being taken, both in enforcement and in future proposals, may unintentionally harm the very groups we most want to protect, while entrenching inequality and normalising mass surveillance of ordinary people.
The current direction of travel appears to risk undermining privacy, digital rights, and even child protection itself.
Digital identity and the risk of marginalising vulnerable and low‑income people
Digital identity schemes rely on access to devices, stable documentation, and digital literacy, resources that many vulnerable or low‑income people do not consistently have.
Civil liberties groups have already warned that digital ID requirements would marginalise those without smartphones, people with limited understanding of current technologies, those experiencing homelessness, or anyone with incomplete documentation. These groups already face structural disadvantages.
Good Things Foundation’s 2024 national dataset review shows:
- 7% of UK households (1.9m) cannot afford mobile data,
- 7% cannot afford broadband,
- 15% of adults (7.9m) lack basic digital skills,
- 45% of households with children are below the Minimum Digital Living Standard,
Women in Identity research shows 12% of UK residents are excluded from identity‑centric systems, including people without fixed addresses, without smartphones, or without stable documentation. Exclusion prevents accessing banking, housing, and essential services.
This demonstrates that digital identity–dependent systems disproportionately exclude low‑income groups.
A system that ties full participation in public life, employment, housing, healthcare access, and even buying a train ticket, to digital identity checks risks deepening inequality rather than alleviating it.
When digital identity becomes a gatekeeper to daily life, those on the margins fall further behind.
The Online Safety Act’s uneven enforcement leaves children unprotected
The UK’s digital ID and age‑verification framework is already in place, but due to technological realities, people can use simple means to bypass this poorly thought through “solution”.
A quick search for the trivial and laughable bypasses for the current age verification approach will show people successfully:
- holding up a photo to their camera during age verification checks
- using video game characters during age verification checks
- using their thumb with a smiley face drawn on it during age verification checks
- using adblockers to bypass the age verifcation pop-up
This current implementation is also inconsistent. As just one concerning example, 4chan (4chan.org), an imageboard notorious for hosting harmful and, in some cases, illegal (CSAM) material, has refused to comply with the Act’s age‑verification requirements and has been investigated, warned, and even fined by Ofcom for failing to implement the UK’s current age check solution.
Yet the site remains accessible to all, including children, with no meaningful age checks in place.
While I don’t agree that the current age check implementation is in any way fair or safe, the above example shows it is also ineffective.
VPN restrictions: risk of overreach without solving the underlying problem
Recent UK Government statements confirm that they are actively considering age‑restricting or limiting VPN use. Similarly, other reporting shows the government is exploring a possible VPN ban for under‑18s, framed as part of “closing loopholes” left by the Online Safety Act.
Privacy advocates, including myself, have warned that these measures are “draconian” and misunderstand the primary functional and legitimate use-case for VPNs.
This will undermine the essential role VPNs play in securing communications and protecting user privacy. Restricting VPNs will disproportionately harm:
- LGBTQ+ people seeking safe communities,
- Women seeking safety from abuse and harassment.
- Domestic abuse survivors protecting their online footprint,
- Legal migrants seeking safety from far-right abusers,
- Whistleblowers, journalists, and activists,
- Low‑income people relying on public Wi‑Fi,
- etc. (the list goes on)
These are the communities already most at risk of online harms.
Digital ID schemes lead to mass surveillance of ordinary people
Digital ID systems create the infrastructure for mass data collection and behavioural tracking.
The UK government themselves admitted this in written evidence, warning a centralised digital ID would create an “unprecedented surveillance infrastructure,” fundamentally altering the citizen‑state power balance, citing historical UK abuses (GCHQ bulk interception, Windrush, police misuse of data, etc.). See Parliment UK Evidence in response to the call for evidence for the inquiry, Harnessing the potential of new forms of digital ID.
Civil liberties groups warn that such systems enable population‑wide surveillance, transforming everyday activities into identity‑verified checkpoints.
The UK doesn’t have the best record regarding citizen surveillance, but the introduction of a poorly architected Digital ID tool, without significant safeguards for citizens’ rights and privacy, would fundamentally alter the relationship between citizen and state.
Attacking access to VPNs is the opposite of these safeguards.
Instead of targeted interventions against harmful actors, digital identity systems risk creating a default position where the state monitors the daily movements and decisions of every citizen.
This is not how a free and fair society should function.
A Broken Approach
The Stanford paper titled “The Segregate-and-Suppress” Approach to Regulating Child Safety Online examines regulatory models that require websites to verify every user’s age and then segregate minors from accessing certain content. The author argues that, although these laws are framed as child‑protection measures, they are fundamentally flawed, produce counterproductive outcomes, and pose serious risks to both minors and adults.
The paper shows that the current approach to age verification forces websites to:
- Determine whether a user is a minor or an adult.
- Use mechanisms such as document review, facial scans, biometric analysis, credit card checks, etc.
- Restrict minors’ access once identified (“suppression”).
This creates a structural dependence on identity verification, which effectively results in a draconian digital identity system.
Requiring minors to verify their age forces them to submit:
- Sensitive personal data
- Biometric information
- Government‑issued documents
This data can be stored, leaked, misused, or used for surveillance.
The paper concludes and stresses that: 1) Forcing minors to reveal more personal information online increases their long‑term risk, violating the very principle of child safeguarding. 2) Age‑authentication changes the structure of the internet from an open information network to a permissioned, identity‑gated system.
Age‑authentication laws that try to “segregate minors and suppress content” are a paradox: They seek to protect children, but harm them, and damage the broader internet and society.
What Next
I would like to hope that the UK government would consider the effectiveness and unintended collatoral of any implementation of a solution to an agreed problem.
I would like to hope that they will consult with privacy, cyber security, and technology advocates and “experts” in a fair and unbiased way, to inform any solution or implementation of a chosen solution, prior to that solution design being written into law or implemented.
In reality, I’m not that hopeful. But you should write to your local MP anyway.