Spate of VPNs Sidestepping UK Online Safety Act Leaves Age-Check Providers Unfazed

There was a widely reported surge in the number of virtual private networks (VPNs) downloaded to circumvent age verification and estimation to bypass the new rules. Corby said age-assurance providers were alert to the possible attacks and stopped all the tricks reported over the weekend.

Under the OSA rules, sites and apps with pornographic material must have "strong age checks in place, to make sure children can’t access that or other harmful content," the U.K. Office of Communications (Ofcom) said.

Corby said the rules entitle pornography providers to conclude that it's not possible for children to access a service only if it uses age verification or estimation that typically prevents such access. Age verification and estimation must be "highly effective, not perfectly effective," he said.

However, if it's found that a significant number of U.K. children continue accessing primary priority content such as porn, suicide and self-harm sites via a VPN, the website is subject to Ofcom enforcement action, Corby said.

Good-quality, reputable VPNs aren't likely to come free, Corby said. They offer additional security, so age-verification providers "would never argue against their use."

Ofcom is "assessing compliance" to ensure platforms have age-verification mechanisms, an Ofcom spokesperson emailed us. "Companies that fall short should expect to face enforcement action."

For an age-check process to meet the OSA requirement of being highly effective, sites must take steps to stop children from being able to get around them easily, the spokesperson said. Platforms "must not host, share or permit content that encourages use of VPNs -- or other circumvention techniques -- as a way to get around online safety measures, like age checks."

Rules for age verification or estimation extend only to the use of a site in the U.K. and as the service affects U.K. users, Hogan Lovells tech regulatory attorney Telha Arshad emailed us Tuesday.

When a U.K. user accesses a service via a VPN, there's no feasible way for the service provider to know that the user is U.K.-based and should be subject to the OSA, Arshad said. Ofcom acknowledges that users can access VPNs to sidestep the rules but has warned against encouraging it, he noted.

It's possible that Ofcom may eventually require service providers to take steps to detect VPN use by U.K.-based users seeking access to sites without going through age gates, Arshad added. It can do that through codes of practice if it "thinks the use of VPNs is materially undermining the effectiveness of the OSA's requirements."

As the age-verification rules kicked in, the Center for Democracy and Technology (CDT) sent an emailed statement Monday highlighting a data breach of images and private messages held by the app Tea, which lets women share information about past romantic partners to keep themselves safe (see 2507280017).

"When apps collect sensitive identifying information like users' images or drivers' licenses to comply with age verification laws, they risk this kind of breach, which endangers privacy, safety, and dignity," CDT wrote.

Microsoft's Xbox announced Monday that U.K. players who sign in to an account indicating that they're 18 or older will begin seeing notifications for a one-time process allowing them to verify their age. Beginning early next year, the company said, it will require age verification for U.K. players to retain full access to social features such as game invites and text communications.