Recently, the news has been abuzz with reports about the new ID checks being implemented on websites that contain adult material as part of the Online Safety Act.

There has been significant backlash against this measure due to privacy concerns and the ease with which it can be bypassed.

The government claim it is to protect children, but it has been so poorly implemented, it seems much more likely this is part of a much more insidious attempt to implement mass surveillance and widespread censoring in the UK.

What is the Online Safety Act

The UK Online Safety Bill—now law as the Online Safety Act 2023—is comprehensive legislation aimed at making the internet safer for users, especially children, by imposing new legal duties on online platforms and services.

Key points include:

• Main Purpose: The Act requires social media companies, search engines, messaging apps, and similar platforms to implement measures that protect users from illegal content and content harmful to children. This includes age verification for adult material, rapid removal of illegal or dangerous content, and providing clear reporting systems for users.
• Child Safety: Special emphasis is placed on protecting children from issues such as exposure to pornography, suicide- or self-harm-related content, eating disorders, bullying, and hateful or misogynistic material. Platforms must use accurate age-assurance measures and adapt algorithms to prevent harmful content from reaching children.
• Enforcement: Compliance is overseen by Ofcom, the UK’s media and communications regulator, which can investigate violations, levy fines up to £18 million or 10% of a company’s global revenue, and even block noncompliant sites in the UK. Senior executives can be held criminally liable for severe breaches.
• Scope: The law applies to “user-to-user” services and search providers accessible from the UK, even if they’re not based in the UK but have significant UK user bases.
• Balance of Rights: The Act also aims to protect freedom of expression and privacy, requiring platforms to maintain legal and journalistic content.
• Timeline: Key duties such as illegal content removal and child safety began enforcement in March and July 2025, respectively.

What genuine reasons do people have for wanting to bypass internet safety rules

The main concern that has arisen since 25 July 2025 is the introduction of age verification to access certain content.

Since this date, platforms must use effective age assurance (e.g. ID checks, facial scanning, credit card verification) to prevent under‑18s from accessing content related to pornography, self-harm, suicide, eating disorders, bullying, hate, and dangerous stunts.

On the surface, you may think this is a good idea, but the reality is that these checks are easy to bypass, and they have significant privacy concerns, as well as significant hypocrisy with what content they target.

Privacy Concerns & Mass Surveillance

One of the main concerns is the invasion of privacy and the trend of the UK moving towards being a nanny state. We have criticised countries like China for years for their excessive surveillance and the ways they restrict citizens from accessing data and communicating, yet, here we are, trying to replicate them.

Many believe the argument for protecting children is just a ruse. The government are pushing towards mass surveillance, and this is the first major step.

Then, of course, in the past decade, companies being hacked and data breaches have become increasingly common. It is quite possible that a third-party provider getting hacked could then lead to threat actors having your ID and information on the sort of websites you have visited, which require an ID check.

Many of these providers share data with third parties. So, in theory, you may provide ID to access an adult site, then that ID company sells data, allowing other companies to more accurately track you. So then, the content you used to view privately is now linked to your daily browsing habits.

Historic Data Breaches

The hacking concern is significant, there has been a growing number of serious l high-profile data breaches vividly illustrate the risks associated with ID verification systems that store personal and biometric data:

• AU10TIX (2022–2024): A major identity verification provider for platforms like TikTok, Uber, Coinbase, and X (Twitter) suffered a breach after administrative credentials were leaked online for over a year. This flaw exposed names, dates of birth, nationalities, ID document images, facial scans, and verification metrics belonging to millions. The breach demonstrated how a single point of failure (exposed credentials) at a third-party provider can endanger the sensitive data of millions across multiple major platforms.
• Outabox (2024): An Australian facial recognition company used by bars and clubs experienced a breach that exposed facial biometrics, driver licenses, signatures, club memberships, addresses, and usage logs. The incident highlighted the vast scope of personal data—far beyond just facial images—that can be leaked through biometric ID systems and the downstream privacy threats for individuals.
• BioStar 2 (2019): The widely deployed biometric access control platform suffered a breach that exposed 27.8 million records, including fingerprints, facial recognition data, user names, and passwords. Poor encryption allowed hackers not just to steal but to modify biometric templates, granting themselves access to secured facilities. The leak affected organizations worldwide, from businesses to police agencies.
• US Office of Personnel Management (2015): Hackers gained access to sensitive details of 21.5 million Americans, including 5.6 million sets of fingerprints of federal employees. Unlike passwords, these identifiers cannot be changed, raising long-term security risks for those affected—a critical worry for ID verification and background check systems everywhere.
• Generic Biometric Data Leaks: In 2019, a database containing over 1 million fingerprints, facial recognition records, and employee logins of security contractors (serving police and banks) was found online. Breaches like these offer attackers persistent access since biometric data is immutable—unlike passwords, it cannot be reset if compromised.
• Growing Deepfake Risks: Leaked biometric data is now being used in sophisticated scams involving deepfakes, such as synthetic voice or video manipulations to deceive financial institutions and enterprises. For example, in 2024, UK firms lost millions due to deepfake-powered fraud that circumvented ID checks based on biometric data.

Hypocrisy – Gambling websites not affected

One area I have a significant issue with is the blatant hypocrisy about “protecting children”.

The Online Safety Bill doesn’t target gambling sites, and the UK has some serious gambling issues that are devastating many people’s lives.

Things like loot boxes introduce children to gambling, but these are all free to operate without ID checks.

Easy to Bypass with VPN

As you have probably seen in the news, the demand for VPNs has spiked.

If you are unfamiliar with a VPN, this is a virtual private network, and in this context, users subscribe to a VPN service, which then allows them to route their traffic through other computers/servers, making it seem like they are located somewhere else.

Traditionally, these have been used to help maintain anonymity for both legal and non-legal reasons.

They are good for privacy-conscious people who don’t want website tracking them, and they have been used extensively in countries that try to censor people. Many journalists and individuals use these to transmit information safely.

They are also popular for making it seem like you are in a different country, which is then often used to bypass other types of content restrictions, different content on streaming services or reduced prices on streaming services.

For the Online Safety Bill, selecting a different country than the UK bypasses the ID checks.

Who is responsible for carrying out ID checks for the Online Safety Bill

Under the UK Online Safety Act 2023, ID checks and age verification are the responsibility of online platforms, but the government and Ofcom do not mandate a specific method—only that the methods must be highly effective for protecting children from harmful content.

1. In-house by the platform itself

Large platforms like Instagram, TikTok, or OnlyFans may implement their own age verification systems, using:

• AI facial analysis (e.g. estimating age from a selfie or video)
• Document scans (e.g. passport, driver’s licence)
• Credit card or mobile phone verification

2. Third-party age verification providers

Many platforms outsource age checks to specialist providers who:

• Receive your ID or biometric data
• Verify age or identity
• Return only a “yes/no” response to the platform (i.e. whether the person is old enough)

UK-based providers include:

• Yoti
• 1account
• VerifyMyAge
• Persona (used by Reddit)

These services often claim to:

• Delete data immediately after verification
• Use privacy-preserving technology (like zero-knowledge proofs or face estimates without storing images)

3. Through device-level or network-level controls

In some cases (e.g. app stores, telecoms), age could be determined or enforced via:

• Device OS parental controls
• ISP age-restricted browsing settings
• Age-linked mobile accounts

Analysing the Privacy Policy for Persona – the ID check provider for Reddit

If you try to view any adult sections on Reddit, you will be asked to provide your ID, which is handled by a company called Persona. When you are shown this message, they link to their privacy policy here: https://withpersona.com/legal/privacy-policy

The Persona privacy policy raises several privacy concerns that individuals and organisations should be aware of:

1. Extensive Personal and Biometric Data Collection

• Persona collects extensive personal data including names, contact information, demographic details (such as birthdate, age, gender), government IDs, and files uploaded by users.
• Significantly, Persona collects biometric data—specifically facial scans derived from government IDs and selfie photos—for identity verification and fraud prevention. This sensitive biometric data is gathered, analyzed, and retained on their systems.

2. Data Sharing with Third Parties

• Personal and biometric data may be disclosed to a variety of third parties, including service providers (cloud services, background check providers, analytics platforms), device operators, and fraud-prevention partners.
• Some third-party disclosures (such as for analytics or targeted advertising) are broad and, especially under US state laws (such as California’s CCPA), may be considered a “sale” or “sharing” of personal data.

3. Biometric Data Storage and Retention

• Persona states it securely stores facial scans and associated photos in encrypted formats, but biometric data may be stored for up to three years after the last user interaction before deletion, unless required otherwise by law. This extended period of storage increases risk if the data is compromised.

4. User Rights and Control Challenges

• While users have rights to access, correct, or delete their data, individuals whose data is processed on behalf of business customers must contact those businesses directly to exercise their rights—potentially adding friction or limiting control.
• Further, Persona reserves the right to deny certain user requests (such as access or deletion) if it cannot authenticate identity, if there are legal obligations to retain data, or if requested changes could impact the privacy of others.

5. Potential Use for Advertising and Analytics

• The policy allows for the use and sharing of personal data for advertising and analytics, which could include cross-site tracking by advertising companies and the aggregation of user profiles for targeted marketing. Users may need to take explicit actions to opt out, especially for sales and targeted advertising under CCPA/CPRA.

6. International Data Transfers

• Data may be stored and processed outside the user’s home country, including in the United States and Germany, potentially subjecting it to foreign government access. The policy claims alignment with EU-U.S. and UK data privacy frameworks, but cross-border transfers remain an inherent risk.

7. Legal Disclosures and Surveillance

• Persona discloses that user data may be provided to law enforcement or regulatory authorities when legally required or to protect their own or others’ rights, raising concerns about surveillance and government access without direct user notification.

8. Biometrics and Consent

• Persona will not sell, lease, or trade biometric data, but will disclose or use it for verification, fraud prevention, legal compliance, or with explicit consent. However, users may not be fully aware of all downstream uses at the time of consent, especially when data is processed on behalf of another company (the “Customer”).

Summary Table of Key Concerns

Ways to bypass the ID checks online for the Online Safety Bill

If you hadn’t already worked it out, the main way to bypass ID checks for the Online Safety Bill is via a VPN and changing your location to a country other than the UK.

The most accessible way to do this is to sign up for a VPN provider such as NordVPN/Surfshare/ExpressVPN.

There are many free VPNs that would work, but I would caution against these as the performance is often not great, and the services are plagued with issue. The fact they are free normally indicates that you are the product, so you can’t rely on them to keep your data private.

It has also been reported that some ad blockers, like uBlock Origin, allow users to create custom filters that can bypass age restrictions.

Additionally, depending on what you are trying to access, third-party apps may bypass the ID checks of official apps.

It is also theoretically possible to provide fake data to these ID apps. While I won’t condone the use of deepfakes for anything, the growth of AI content creation could likely enable the bypassing of these checks.

Why does the Online Safety Bill not protect children?

On the 29^th of July, Technology Secretary Peter Kyle made a bizarre accusation against Nigel Farage, accusing him of being on the side of people like Jimmy Savile.

I personally think Nigel Farage is a reprehensible human being, but this accusation is just moronic.

Jimmy Savile didn’t use the Internet to commit his crimes; he used his money and power to do so.

The BBC was criticised in multiple inquiries for missing opportunities to stop Savile. Some individuals in senior positions were aware of his behaviour or faced rumours, but failed to act decisively.

It was reported that the police sometimes put protecting celebrities above child protection, with information about Savile’s offences classified in a way that made it inaccessible to many officers. This, along with a lack of information sharing between police forces, allowed him to avoid scrutiny for a prolonged period.

It is people in a position of power who allowed Jimmy Saville to do what he did.

An MP making these claims sounds more like projection and hypocrisy than a valid accusation.

I have no reference or objective stats to back this up, but I would assume that people who prey on children are already bypassing methods used to identify people online.

VPN Providers

When it comes to selecting a VPN provider, it can be confusing. There are so many options and they all make lots of big claims about performance, privacy and the number of available servers you can use as endpoints.

You may want to consider how secure your data is through a VPN. Many countries have information-sharing agreements, so a VPN provider based in the US may share data with the UK government as part of the Five Eyes intelligence alliance.

 5 Eyes, 9 Eyes, and 14 Eyes Countries

There are currently various intelligence sharing agreements, and many prefer to select a VPN provider that is not based in one of these companies:

• Five Eyes countries: United States, United Kingdom, Canada, Australia, and New Zealand
• Nine Eyes countries: The Five Eyes plus Netherlands, Norway, Denmark, and France
• Fourteen Eyes countries: The Nine Eyes plus Italy, Germany, Belgium, Sweden, and Spain
• Partners of the Fourteen Eyes: Israel, Japan, South Korea, Singapore, British Overseas Territories

Recommended VPN Providers

I don’t really have a favourite VPN provider. In the past, I have found them to be hit or miss with the quality of connection, but most of the VPN providers I have used in recent years have had excellent performance.

Personally, I am not too concerned about selecting a VPN provider outside of the 14 Eyes countries. There is nothing I do online that I am too concerned about, but I also don’t trust these ID providers, so I use whatever VPN is affordable and provides good performance.

Some of the VPN providers I have reviewed include:

• PrivadoVPN
• NordLayer VPN (Business focussed version of NordVPN)
• Surfshark VPN
• PureVPN
• F-Secure Total Internet Security and VPN

Additionally, I reviewed the Aircove Go travel router, which uses ExpressVPN.

I am currently using Surfshark for my VPN, mainly because it was cheap. I subscribed back in 2023 for 2 years for £46.55, and when I came to cancel, they offered a renewal for £35.49. At the time of renewal, I rarely used a VPN, but seemed worth it at this price.

While I use Surfshark and can recommend them, I should point out that they are based in the Netherlands, which is a 9 Eyes country. However, like many VPN providers, Surfshark claims to be a no-log provider, and this has been independently verified by Deloitte back in 2023.

I have also used Mullvad via Tailscale, which worked well, btu was quite a bit more expensive than Surfshark.

Mullvad is based in Sweden which is also part of the 14 eyes alliance, but many regard this as one of the best privacy focussed VPNs.

From the Mullvad website, they state:

Mullvad VPN is based in Sweden, and here the relevant law is called the Electronic Communications Act (Lagen om elektronisk kommunication, LEK). It’s LEK that regulates how internet service providers must log traffic, and it’s very clear: this law doesn’t apply to VPN services. So the basic conditions for running a privacy-focused VPN service are good, Swedish law doesn’t require VPN services to log either their customers or their traffic.

This was put to the test back in 2023, when the police turned up and demanded access to data, but as they don’t log data, they walked away with nothing.

Mullvad privacy claims are boosted by the fact they accept cash, Bitcoin, Bitcoin Cash, Monero, bank wire, credit card, PayPal, Swish, Eps transfer, Bancontact, iDEAL, and Przelewy24.

To pay in cash, you need to put your cash and payment token (randomly generated on the website) in an envelope and send it to them.

Many people also pay via prepaid bank cards.

VPN Providers Outside 14 Eyes

If you want the added privacy of a VPN provider outside of the 14 Eyes alliance, then the following are all recommended:

• NordVPN located in Panama
• Proton VPN located in Switzerland
• PrivadoVPN located in Switzerland
• CyberGhost located in Romania
• ExpressVPN located in British Virgin Islands

Will the government target VPNs?

Everything I have said above is really just parroting what other people have said.

But, one of the things that made me write this article was how the government will try and deal with the blatant failure of this Online Safety Bill due to how easy it is to bypass it using a VPN.

Many have speculated that the government will begin targeting VPN providers, but how does that actually work?

They may be able to come up with some laws that target the links of Surfshark and NordVPN which are the sorts of VPN people are using to bypass this bill.

But that is just one example of how VPNs are used. I work in IT, and almost every company we work with uses VPNs to access work networks remotely. Many clients use site-to-site VPNs that allow two separate offices to work as one network.

I personally use Tailscale to securely log in to servers for hosting and to access my home network, where I also use it to log in.

Most decent third-party routers have VPN functions built in using technologies like IPSec or WireGuard.

So, how would the government target VPN services like Surfshark and NordVPN? Surely they wouldn’t target the underlying technologies, as that would have a significant impact on most businesses in this country (though I wouldn’t put it past them, as they are already attacking encryption).  

If they target the companies providing these services, how do they prevent genuine VPN services from being targeted? And will they stop people from creating their own VPN networks by renting a server and routing traffic through that?

Conclusion

The UK Online Safety Bill appears to be a complete mess that fails to achieve what the government claim they want to achieve.

It has been so badly thought out and implemented, it seems perfectly logical to assume that the government don’t really care about protecting children, they just want to introduce mass surveillance in the UK.

James Smythe( Editor-in-chief )

I am James, a UK-based tech enthusiast and the Editor and Owner of Mighty Gadget, which I’ve proudly run since 2007. Passionate about all things technology, my expertise spans from computers and networking to mobile, wearables, and smart home devices.

As a fitness fanatic who loves running and cycling, I also have a keen interest in fitness-related technology, and I take every opportunity to cover this niche on my blog. My diverse interests allow me to bring a unique perspective to tech blogging, merging lifestyle, fitness, and the latest tech trends.

In my academic pursuits, I earned a BSc in Information Systems Design from UCLAN, before advancing my learning with a Master’s Degree in Computing. This advanced study also included Cisco CCNA accreditation, further demonstrating my commitment to understanding and staying ahead of the technology curve.

I’m proud to share that Vuelio has consistently ranked Mighty Gadget as one of the top technology blogs in the UK. With my dedication to technology and drive to share my insights, I aim to continue providing my readers with engaging and informative content.