The dialog across the UK’s On-line Security Act has reworked over the previous week. Because it got here into power final Friday (twenty fifth July 2025), there was quite a lot of public outcry, together with a petition, which was signed by over 400,000 folks, calling for The Act to be scrapped altogether. The UK authorities has since rejected this concept, with no signal of backing down. In parallel, shoppers have scrambled to search out work arounds. VPN utilization spiked within the UK, with sign-ups to 1 service surging by greater than 1400%. Many are additionally calling into query the safety of the organisations and third-parties which might be required to retailer such delicate knowledge too. Surprisingly, websites (not essentially seen as ‘grownup’) like Spotify are additionally asking for customers to add their ID too, which has left folks asking the place does it finish?!
It is a story with many transferring components and issues have snowballed over the previous week. One might give attention to (non-exhaustively) VPNs, the software program provide chain safety ingredient of third-party ID verification websites or the concept behind its conception (youngster security) and nonetheless not scratch the floor. As a substitute, The Gurus requested cybersecurity consultants from throughout the business to weigh in…
Brian Higgins, Safety Specialist at Comparitech, on VPNs:
“One of many extra alarming rising traits is the just about rapid mission creep of this laws. The VPN difficulty was at all times going to deflate the effectiveness of any age verification measures, actually it’s fairly worrying that these accountable appear fairly so stunned by this growth. However because of the wide-ranging wording of the content material doubtlessly coated by the Invoice, legislative compliance is impacting platforms and customers in way more draconian vogue than could also be deemed affordable. Spotify is one service which has dismayed customers by requiring AV and a distinguished UK actor not too long ago discovered he might not entry photos of his personal kids when posted on Social Media by their mom.
Many extra examples of the swingeing attain of this Invoice will undoubtedly proceed to come up so it’s no surprise folks will search for work-arounds. Are Ofcom going to arrest everybody who makes use of a faux AI Drivers License to spoof their means on to Fb or will they be too busy getting sued by the U.S. State Division. Solely time will inform.”
Graeme Stewart, head of public sector at Verify Level, on a possible VPN ban:
“The thought of banning VPNs places the UK within the firm of China, Russia, and Iran. That ought to inform you all the things. The Authorities’s try to manage on-line hurt has backfired spectacularly. In making an attempt to cease kids seeing dangerous content material, they’ve pushed tens – perhaps a whole bunch – of hundreds of individuals to undertake instruments that make lawful interception near-impossible.
Worse nonetheless, they’ve outsourced enforcement to unaccountable third events, counting on fragmented databases that provide no assure of safety, legitimacy, or transparency. Proof is already rising of faux Google and ChatGPT-generated IDs being accepted. This isn’t enforcement – it’s turn out to be a little bit of theatre.
Simply take a look at the Tea App debacle – a stay instance of what occurs when poor verification meets dangerous actors.
From a cybersecurity perspective, that is last-century considering. And right here’s the kicker: through the use of a VPN to guard your self, you now threat being flagged as an individual of curiosity.
You possibly can’t declare to guard privateness whereas handing folks’s most delicate knowledge to unregulated distributors.
Persons are turning to VPNs as a result of they don’t belief the system – and who can blame them? These are the identical instruments defending journalists, whistleblowers, and residents from surveillance and abuse. Banning VPNs doesn’t repair the issue – it simply punishes the general public for not blindly trusting a system that retains failing them.”
Lucy Finlay, Director, Safe Behaviour and Analytics at Redflags, on importing IDs:
“The necessities for sure web sites to confirm age by importing a stay selfie or a duplicate of an ID opens an entire new avenue of assault for cyber criminals and privateness questions for coverage makers. Firstly, it invitations organising malicious prompts for ID verification on compromised web sites, funnelling delicate knowledge away from unsuspecting customers, who’re being conditioned to not query gifting away their ID. That is an instance of “sludge”, the place a nudge is getting used as a friction or barrier to accessing what you need, so persons are instinctively acquiescing to this request fairly than query its legitimacy. Besides it’s not simply urgent “settle for all” on annoying cookie pop-ups… it’s gifting away your ID or facial knowledge. Secondly, it creates knowledge regulation and privateness complications, as international firms are engaged to hold out the verification service for the web sites. Lastly, these firms are prone to be topic to elevated scrutiny from dangerous actors wishing to get their fingers on a goldmine of IDs and kompromat-worthy materials related to the “delicate” materials they’re viewing. Do these dangers outweigh the advantages gained, given these verification checks can at the moment be bypassed by a easy VPN?”
Mayur Upadhyaya, CEO at APIContext, on going chilly turkey:
“It’s extremely tough to place the genie again within the bottle. These platforms have been accessible for thus lengthy that viewing them has turn out to be a deeply embedded behavior for a lot of younger folks. Going chilly turkey in a single day gained’t work, particularly if the one different is technical enforcement. We’re already seeing a surge in free VPN use, which carries critical dangers like malware, trackers, and compromised knowledge. Extra regarding is the cultural divide this creates. When youngsters really feel they’ve to cover their on-line habits, it shuts down the open dialogue dad and mom must have. The intent behind the On-line Security Act is nicely which means, however actual change requires training, safer options, and belief, not simply technical restrictions.”
Chris Hauk, Client Privateness Advocate at Pixel Privateness, on the dangers of an org that retailer IDs being focused by hackers:
“Whereas I applaud any motion taken to guard minors whereas they’re on-line, offering your private knowledge, together with their Authorities IDs, to web sites, significantly grownup web sites, is a bridge too far. Many grownup web sites are run by unsavoury people and teams, and turning over a picture of an ID card might permit these prison varieties to carry out prison actions utilizing that info.
Whereas VPNs are a wonderful method to keep away from these ID necessities by connecting to a different metropolis or nation the place ID shouldn’t be but required, there are rumblings that governments will quickly contemplate banning the usage of VPNs to take action. That is one other step towards larger authorities management of the web, and the power to limit what we are able to see on the web.”
Even when a web site that requires authorities ID to login is on the up and up, the data may very well be uncovered in an information breach, which means a consumer’s on-line actions may very well be uncovered to their pals, households, and employers. This occurred years in the past within the 2015 Ashley Madison knowledge breach, when prospects of the extramarital “relationship website” noticed greater than 60GB of consumer knowledge be launched.”
Anne Cutler, Cybersecurity Knowledgeable at Keeper Safety, on a greater method to defend the youngsters:
“The On-line Security Act introduces complicated security obligations for digital platforms, together with age verification, content material moderation and knowledge assortment necessities aimed toward defending kids. However in fulfilling these obligations, platforms are being requested to gather and retailer extremely delicate private knowledge, elevating pressing questions round how securely this info is being managed – and whether or not the infrastructure behind these platforms is as much as the duty.
Content material moderation, like that spelled out within the On-line Security Act, wants a security-first technique to underpin these security measures. This technique must be laser-focused on stopping unauthorised entry, and safeguarding towards inner threats, third-party distributors and cybercriminals. As platforms transfer to fulfill their regulatory duties and start accumulating the mandatory knowledge, it’s important to establish and deal with the safety infrastructure that helps them. Safety have to be built-in from the bottom up – by strong entry controls, privileged consumer administration, encryption and breach detection.
Constructing long-term digital resilience additionally means investing in each security and safety training – not only for kids, however for the adults who construct, handle and safe these techniques. Many kids – and the adults round them – merely aren’t conscious of how susceptible their accounts and knowledge are, or the right way to successfully defend them. Keeper’s Flex Your Cyber initiative, in collaboration with respected cybersecurity companions (Nationwide Cybersecurity Alliance, KnowBe4 and CYBER.org) was created to shut the information hole in cybersecurity consciousness, whereas additionally pushing for enterprise-grade safety requirements within the classroom and past. However training alone can not carry the burden of regulatory compliance. Platform suppliers should prioritise security-by-design rules from day one, embedding entry controls and monitoring techniques that guarantee consumer safety is at all times energetic, not simply passive.
Such an method is very important in a world the place threats focusing on kids have gotten tougher to detect. Youngsters are partaking not simply with tough content material, however with more and more complicated, AI-driven digital experiences. These interactions can expose them to new types of hurt – from hacked accounts and impersonation to emotionally manipulative chatbots. With out correct entry controls, knowledge encryption and breach monitoring, child-facing platforms – and the information they comprise – stay gentle targets for malicious actors.”
Be aware: It is a growing story.
![AI advertising campaigns solely a bot may launch & which instruments pitch the most effective ones [product test]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/ai-marketing-campaigns.webp-120x86.webp)
