On July 25, 2025, the Online Safety Act went into effect in the UK. This new law means that UK residents will have to verify their age in order to access content deemed inappropriate for minors by the Office of Communications (OFCOM).
This has led to a huge spike in UK residents searching for the best VPNs in order to circumvent these restrictions and avoid sharing their personal information.
The law has required many sites and apps, including social media sites, to enforce age verification through a number of different ways. However, this has raised a number of concerns around data privacy and safety, especially the cybersecurity risks posed by third parties processing sensitive information. Here, we take a look at some of the risks that may be posed by third-party age verification services.
1: Data breaches, identity theft and fraud
Many UK citizens have questioned the safety of uploading either their likeness or a copy of their government ID (e.g. passport or driver's license) in order to access blocked sites or content on apps.
Many are concerned about the potential ramifications of this information being stolen in a data breach. The personal information available on an ID card is very valuable to hackers, and could be sold for a large amount of money on the dark web.
If a third-party was hacked, and copies of users' identification were stolen, this could have huge repercussions for all those involved. The main concerns are, of course, identity theft and fraud.
If a hacker gained access to a copy of someone's passport or driving license, they could do a number of nefarious things, including opening bank accounts in your name, applying for loans and credit cards, and even create fake IDs using your details. This can have huge ramifications for the victim, including impacting their credit score and having crimes committed in their names.
Unfortunately, the onus is on the companies and sites employing the third-party services and the third-party services themselves to make sure they are as secure as possible, and that users' personal information is as protected as possible.
2: Data risks posed by third-party services
In order to comply with the new age verification laws, many companies have introduced age verification via third-party services. For example, social media site Reddit has employed the use of Persona.
However, many of the third-party companies that are being used to comply with the Online Safety Act are actually based in the US, which has worrying implications for the UK data stored by them. This is because, under the Patriot Act, these companies could be compelled to give the data they hold to the US government.
To combat this, companies must censor and/or delete the information used to verify a person's age. For example, Persona has said that it will not store ID verification data for longer than 7 days.
This is similar to how Private Internet Access, a well-respected US-based VPN, upholds its user privacy by simply not recording or storing any user data. While it does publish quarterly reports of all the information requests it has received, the reports show that it has not shared any information with the US government – after all, it cannot release any data it does not have.
With this being said, Persona and its data protection practices does not represent all of the third-party verification companies being used to verify users' ages. This means that other companies could hold users' data for a lot longer than 7 days, meaning that they would have more data to surrender if the US government asks for it.
This is obviously problematic considering the sensitive nature of the data that they will have access to.
3: More realistic phishing campaigns
Last year, I wrote on a new sextortion scam which combined real data stolen from data leaks and/or breaches with an intentionally anxiety-fuelling script in order to convince victims that they had to pay up or risk intimate pictures and details being leaked to their entire contact list.
Of course, hackers did not actually have access to these pictures or details, and instead were relying on victims having limited knowledge on what certain types of malware can actually do. However, with these new age verification laws requiring users to upload pictures of themselves or their government ID, scammers could easily take advantage of this and put together an even scarier script.
If you had used an age verification system to access an adult website, it would suddenly become far more plausible that your data had been accessed, meaning you may be more likely to believe the lies sent to you by scammers.
This would be even more believable if the scammers had access to information that could plausibly be on your government ID stolen from other data breaches or leaks.
However, it's important to remember that third-party verification means that your account data is not shared with the verification service, and your ID data is not shared with the site you're attempting to access. So, if scammers are claiming they have linked the two, this is a lie.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
