Good afternoon from Blighty! The British government already has a penchant for snooping on its citizens. But some of the actions it has taken lately go further, threatening to make online anonymity off limits. Here’s a closer look at a few recently introduced policies that could change the internet as we know it in the UK.

Four policies that threaten the UK’s open internet

by Lucy Harley-McKeown

Here in the UK, it seems almost inevitable that sometime soon, if you want to go online, you’ll need to show your ID first.

The latest step in this direction is Prime Minister Keir Starmer’s announcement this week that the government will ban kids under the age of 16 from using social media. We already have the controversial Online Safety Act, which introduced mandatory age checks for certain websites in July, and a vague proposal for a new national digital identity card has been in the air since Keir Starmer announced it in September 2025.

Joining the dots, the plans have the potential to break the internet’s open infrastructure and tie every action someone takes online to their personal identity. This could not only supercharge the government’s already considerable surveillance powers, but also dramatically increase the risk that personal information—which in order to comply with the new regulations is likely to be stored in large, centralised databases—could be lost to hackers and other bad actors.

Here are four relatively new policies that have inspired civil liberties campaigners and digital rights activists to raise their hackles—and suggest that the UK is heading in a direction that threatens to shut down privacy online.

1. Banning children from social media… and identifying everyone else who wants to use it

The most recent example of the UK’s attempts to regulate the internet is a ban on the use of certain social media sites for kids younger than 16. The government has framed it as a move to “give kids their childhood back.”

“The plans will set a new normal for future generations, kickstarting a cultural shift and driving forward the government’s fight to give every child the best start in life,” the announcement said. Keir Starmer told reporters in a press conference on Monday that the ban will come into effect early next year.

Snapchat, TikTok, YouTube, Instagram, Facebook, and X are in the firing line, while messaging platforms like WhatsApp and Signal will remain accessible, the announcement said. The new rules will also aim to stop children from using platforms that allow disappearing messages, but it is unclear how this will work, given that Signal and WhatsApp have this feature.

Supporters argue that addictive platform design and harmful content are damaging children’s mental health. Justine Roberts, founder of influential parenting website Mumsnet, has said this week that a poll of the site’s users showed that 95 percent believe that social media is harming children.

Keeping children safe is obviously a worthy goal. But a restriction aimed at children can quickly become a requirement for everyone else to prove their age before participating online. The age verification checks mandated by the Online Safety Act have already proven to be problematic (more on that later). And implementing such a ban raises serious questions: how exactly will platforms determine who is under 16 and who is not? How will this information be stored? How private will it be?

The government has not yet provided any answers. Campaign groups like Big Brother Watch have filled the void with concerns. “Anonymity is dead for the whole of the British public,” Big Brother Watch’s director Silkie Carlo told BBC News on Monday. Checks that require bank details, face scans, or identification are “really intrusive methods,” she added.

Opposition is also coming from politicians. Emily Darlington, a Labour Party MP and member of the Science, Innovation and Technology select committee, claimed a similar move in Australia quickly failed, with a majority of teens in the country finding their way back onto social media, often via newer platforms with less oversight.

Australia’s eSafety commissioner also released research showing that children who were within two years of the age limit were easily bypassing facial age estimation technology and half of the platforms included in the ban were being assessed for noncompliance. Darlington also argued that if children are banned from social media by default, there will be fewer political levers left for the government to use to regulate the content posted on platforms. “Banning platforms may generate headlines, but making platforms safe would actually solve the problem,” she wrote in Politico.

2. The Online Safety Act: Turning the internet into an ID checkpoint

The debate over age verification is hardly a new one in the UK. Keeping kids safe is also the stated goal of the Online Safety Act (OSA). First introduced to Parliament in 2021 and passed in 2023 by the Conservatives, parts of the OSA were enacted last year under Labour. It made age safety checks for certain websites mandatory.

Now, on Facebook, Bluesky, Instagram, and other social media sites, you can’t send a message unless you send a picture of your ID or allow a third-party company to scan your face. Certain parts of Reddit are also unavailable until you prove your identity to a verifier called Persona. The same is true for watching videos marked 18+ on Spotify. Porn websites are also now age-gated.

This hasn’t worked very well. Most people who don’t want to hand over a scan of their ID card or face have already worked out that the current restrictions can be sidestepped with VPNs, which are simple to acquire and run. In the week after the OSA took effect in July 2025, NordVPN said it saw a 1,000 percent increase in VPN purchases in the UK. Proton, which offers a VPN as well as private email services, said it had experienced a more than 1,800 percent increase in daily sign-ups. A recent analysis by the government’s Gambling Commission used data from Ofcom (the UK’s agency in charge of regulating the internet and enforcing the OSA) and the analytics firm Similarweb to estimate that since the law went into effect, VPN usage has been around 40% higher than pre-legislation norms.

The government ran a public consultation about online safety in which the matter of banning VPN use was discussed. Lawmakers also debated in Parliament in December whether VPNs should be brought into the regulatory remit. At the time, Conservative MP Peter Fortune asked the House: “Does [the Minister] agree that, for the Online Safety Act to be successful, the use of VPNs has to be examined further?” The likelihood of a ban has since been played down by technology minister Peter Kyle. Still, Kyle said in July last year that the government would be monitoring their use “very closely.” And Ofcom has already admitted to using an unnamed third-party AI tool to monitor VPN usage.

Ironically, pornography websites that have simply ignored the law—presumably prime targets for legislation meant to ensure children can’t access explicit content—are benefitting enormously. Traffic to websites that failed to age-gate doubled or even tripled their UK audiences compared with the same time last year, according to a report in the Washington Post.

There have also been data leaks. The chat application Discord said in October that one of its third-party verifiers, 5CA, had been hacked. “We have identified approximately 70,000 users that may have had government-ID photos exposed,” Discord said at the time.

Share

3. Encryption busting, too?

Shortly after the Online Safety Bill was passed in 2023, organisations like OpenDemocracy argued that parts of it amounted to an “assault” on encryption and privacy-preserving technologies.

The act makes it illegal to “intentionally obstruct” or “delay” the gathering of information by the police or other authorities. Companies offering encrypted communications argued this amounted to enabling so-called client-side scanning on encrypted messaging. This would mean scanning a message on a user’s device—such as a smartphone or computer—before it is sent over the internet or encrypted. At the time, it prompted messaging apps like WhatsApp and Signal to threaten to leave the UK.

The government appears to have listened to the arguments; the controversial provision, which opponents call the “spy clause,” is now paused—but only until it is “technically feasible” to employ it (or companies build the technology that would let them comply).

For years, there have been arguments against governments seeking greater access to encrypted communications for national security and law enforcement purposes. In 2016, the Investigatory Powers Act, which became known as the “Snoopers’ Charter,” expanded surveillance powers in the UK, requiring companies to retain user data and potentially provide access to encrypted material.

Amendments introduced safeguards in some areas, but the government can still legally intercept emails, messages and phone calls, as well as other digitally transmitted communications. Authorities could technically justify taking control of a laptop or phone and retaining a year’s worth of online activity data in the name of national security or serious crime investigations.

The combination of the Snoopers’ Charter and the Online Safety Act could give Ofcom and the Investigatory Powers Commissioner’s Office much stronger information-gathering and enforcement powers, critics have argued. Nik Williams, policy and campaigns officer at the campaign group Index on Censorship, told Wired last year that the two pieces of legislation create “a surveillance gateway between the [Online Safety Bill] OSB and the [Investigatory Powers Act] IPA in that this can give the security services, such as MI5, MI6, and GCHQ, access to data they previously could not access.” He added: “I would say it’s probably an unprecedented expansion of surveillance powers.”

4. Show me your Brit Card

For better or for worse, the UK is also developing a digital ID system that could make age-gating easier. As part of a push to tackle illegal immigration, it introduced the “Britcard” in September last year.

The government says the digital ID could have uses such as driver’s licences and accessing welfare and tax records. But it would also centralise a system that is currently more siloed. Passports and driver’s licences reside at different agencies; the Britcard would link them up.

“A digital ID is not just a card—there are multiple human rights concerns about the concentration and linking of information, databases and infrastructure behind them,” said Javier Ruiz Diaz, Amnesty International UK’s technology and human rights lead. The danger is not merely the card itself, but function creep.

After a tide of complaints from civil liberties advocates, including a petition against Britcard that garnered nearly 3 million signatures, the UK decided that it would not be mandatory. The government aims to roll it out before the end of the current Parliament in 2029.

For what it’s worth, the latest suggestions by the government for the Britcard scheme also indicate that it will be designed in such a way that will make it possible for users to selectively share the parts of their ID they want and hide the rest. We’ve talked at length in this newsletter and at our live events about how this is technically possible (See the panel I moderated at the 2025 DC Privacy Summit called How to Avoid a Dystopian Digital ID System).

So, at least in theory, there is still hope that even if sometime soon we have to show ID to access the internet in the UK, we may be able to do so without destroying our privacy.

Some other Glitchy headlines 🐈‍⬛

• Almost everyone is getting “crypto” wrong

• How agents are changing the meaning of computer security

• Who is responsible when your AI agent misbehaves?

Follow us on Twitter or get corporate with us on LinkedIn.