The UK Online Safety Act, which came into force in July 2025, requires age verification across platforms but has sparked massive public opposition with over 529,000 petition signatures and a 1,800% surge in VPN usage.

Despite government claims about child protection, the legislation creates surveillance infrastructure that experts warn makes the internet less safe while failing to protect children who can easily bypass restrictions.

Article Summary

The UK Online Safety Act has triggered unprecedented public backlash with over 529,000 petition signatures demanding repeal and VPN downloads surging 1,800% as citizens seek to bypass age verification requirements.

The legislation forces users to submit government IDs and biometric data to unregulated third-party companies, creating massive privacy risks while failing to protect children who can easily circumvent restrictions.

What is the UK Online Safety Act?

After 7 years of development beginning with the 2019 Online Harms White Paper, this new legislation aims to make the UK, “the safest place in the world to be online” through mandatory age verification systems, content moderation requirements, and severe financial penalties for non-compliance.

The Act’s scope extends far beyond traditional social media platforms, encompassing search engines, messaging services, file-sharing sites, and even community forums, affecting an estimated 100,000+ companies globally.

The legislation establishes Ofcom as the regulator with unprecedented enforcement powers, including the ability to impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher.

These digital platform regulations apply to any service with significant UK users or targeting the UK market, regardless of where companies are based, creating extraterritorial jurisdiction that has sparked international diplomatic tensions.

The Act categorises platforms into different tiers, with Category 1 services like Meta and Google facing the most stringent requirements including algorithmic transparency and democratic content protections.

Implementation follows a phased approach with key milestones already in effect since March 2025 for illegal content duties, while child safety measures became enforceable from July 2025.

The Act requires platforms to do the following actions:

• Conduct comprehensive risk assessments
• Implement “highly effective age assurance” technologies
• Maintain detailed compliance records subject to Ofcom inspection

Criminal liability extends to senior managers who fail to ensure compliance with information requests or child protection duties, marking a significant escalation in personal accountability for digital platform leadership under UK internet law.

The Petition That Shocked Westminster

The most powerful indicator of the UK Online Safety Act’s failure is the extraordinary public response it has generated. The parliamentary petition demanding repeal has reached 529,179 signatures Techdirt , making it one of the fastest-growing petitions in UK parliamentary history and far exceeding the 100,000 threshold for parliamentary debate consideration.

Citizens express frustration that the government is “risking clamping down on civil society talking about trains, football, video games or even hamsters because it can’t deal with individual bad faith actors” Techdirt . This unprecedented level of public opposition to internet regulation has forced the government to provide a detailed response, though officials maintain their position that the Act is essential for protecting children online.

🔗 Sign the Official Parliamentary Petition to Repeal the Online Safety Act

Government’s Petition Response Completely Ignores Public Concerns

Despite the overwhelming public opposition, the government’s response has been categorically dismissive of citizen concerns. The Department for Science, Innovation and Technology stated:

Technology Secretary Peter Kyle has gone further, making inflammatory claims that critics of the Act are “on the side of predators”, a statement that demonstrates the government’s willingness to weaponise child protection rhetoric to shut down legitimate criticism.

This approach exemplifies how politicians use emotional manipulation rather than evidence-based responses to address substantive concerns about the legislation’s scope and implementation.

Officials emphasised that Ofcom enforcement would take a “risk-based and proportionate approach,” focusing on larger platforms while supporting smaller services through guidance and tools. However, critics argue that the government’s promises of proportionality ring hollow given the broad definitions within the Act and the practical impossibility of selective enforcement across the diverse landscape of UK accessible online services.

Digital Civil Disobedience and the VPN Explosion

Citizens have responded to the Act’s implementation with what amounts to digital civil disobedience, with VPN usage experiencing an extraordinary 1,800% surge following the July 2025 enforcement deadline. Proton VPN recorded a surge of more than 1,400% in UK signups within hours of the Online Safety Act taking effect on July 25, 2025.

Five of the top 10 free applications on Apple’s UK App Store became VPN services as users sought to circumvent age verification requirements. This VPN surge UK demonstrates the practical challenges of enforcing territorial internet restrictions and highlights the gap between government intentions and public acceptance of the new digital framework.

Data from Decodo shows proxy users from the UK increased by 65% following the launch of the Online Safety Act, while proxy traffic rose by 88%, indicating that sophisticated users are adopting multiple bypass technologies to maintain their digital privacy and freedom.

📺 GB News: UK Dragged back to 1918 overnight

Security Implications & Corporate Resistance

The Act’s extraterritorial demands have created unprecedented international tensions, particularly with the United States where officials view UK surveillance requirements as threats to American digital sovereignty. Apple Inc. called the legislation a “serious threat” to end-to-end encryption, warning that it could force the company to weaken security features designed to protect users from surveillance.

Meta Platforms similarly stated that it would rather have its WhatsApp and Facebook Messenger services blocked in the UK than weaken encryption standards. The international implications extend beyond corporate complaints to fundamental questions about democratic governments adopting authoritarian surveillance tactics.

When established democracies like the UK implement mass surveillance, encryption backdoors, and content censorship under child protection rhetoric, they provide justification templates for genuinely authoritarian regimes seeking to suppress dissent and monitor citizens.

Fundamental Flaws of Mass Data Collection

The Honeypot Problem

Cybersecurity experts warn that “these verification systems create massive centralised databases of biometric and identity data. The security risks are immense. We’re essentially creating honeypots for cybercriminals whilst destroying user privacy” FTI . Unlike passwords or credit card numbers, stolen biometric data cannot be changed, making successful breaches catastrophically permanent for affected users.

The concentration of millions of British citizens’ most sensitive personal information including government identification documents, biometric facial scans, and financial data in databases operated by largely unregulated third-party companies creates unprecedented attack targets for cybercriminals and foreign intelligence services.

Previous data breaches at verification companies have exposed thousands of identity documents and facial recognition data, demonstrating that data exfiltration attacks are not theoretical but established reality.

Lack of Regulatory Oversight

Privacy campaigners have identified that there is “no public register of approved age assurance providers, no requirement for age assurance providers to meet any specific privacy or security standards, and no requirement for platforms to choose trusted or certified providers” Kennedys Law LLP. This regulatory vacuum leaves users completely dependent on companies’ voluntary privacy commitments with no legal recourse for violations.

The international nature of many verification providers means that UK user data may be processed and stored in countries with different privacy laws and security standards, creating additional vulnerabilities. Companies with backgrounds in intelligence gathering and surveillance have access to intimate details about British citizens’ online activities and personal information without meaningful oversight.

Systemic Security Vulnerabilities

The permanence of biometric data makes verification database breaches uniquely catastrophic. When financial information is stolen, cards can be cancelled and accounts closed. When biometric facial recognition templates are compromised, victims face permanent identity vulnerabilities that cannot be resolved through simple account changes or password resets.

State-level threats to these databases extend beyond criminal actors to include foreign intelligence services seeking detailed information about British citizens’ online activities, political affiliations, and personal relationships. The combination of government identification documents with detailed records of platform usage creates comprehensive surveillance profiles that would be extraordinarily valuable to hostile foreign actors seeking to influence or compromise UK citizens.

This immediate censorship of legitimate political protest footage demonstrates that the Act functions as a comprehensive censorship tool rather than focused child protection legislation.

Does Privacy Online Actually Protects Children

The government’s central claim that privacy represents a threat to child safety fundamentally misunderstands how online protection works in practice. Strong encryption and anonymous access enable children to seek help for sensitive issues including domestic abuse, mental health crises, and identity questions without fear of discovery by abusive parents or social stigmatisation from their communities.

Digital rights experts argue that “any attempt to protect children online should not include measures that require platforms to collect data or remove privacy protections around users’ identities”. The most vulnerable children (those facing abuse, discrimination, or mental health challenges) specifically require privacy protections to access help safely. By destroying anonymity, the Online Safety Act makes these children more vulnerable, not safer.

What Does The Safety Act Really Represent?

Alan Woodward, a cybersecurity expert at the University of Surrey, described the Act’s surveillance provisions as “technically dangerous and ethically questionable”, stating that the government’s approach could make the internet less safe, not more. He added that the Act makes mass surveillance “almost an inevitability” as security forces would be liable to mission creep.

How Does Removing Encryption Damages Your Digital Rights?

The Electronic Frontier Foundation warns that “implementation of the UK’s Online Safety Act is giving internet users around the globe – including those in US states moving to enact their own age verification laws – real-time proof that such laws impinge on everyone’s rights to speak, read, and view freely”.

Path to censorship, Elon Musk slams UK

Digital Authoritarianism Disguised as Child Protection

The evidence overwhelmingly demonstrates that the Online Safety Act is not genuinely designed to protect children but rather to establish comprehensive government control over digital communications. From the moment the Act’s age-verification duties took effect on 25 July 2025, protest footage and political content began being blocked, revealing the legislation’s true purpose as a censorship tool rather than child protection measure.

The broad scope ensures that government control extends far beyond protecting children to regulating adult political discourse and civic participation. The legislation attempts to make the UK “the safest place” in the world to be online by placing a duty of care on online platforms to protect their users from harmful content.

It mandates that any site accessible in the UK including social media, search engines, music sites, and adult content providers to enforce age checks to prevent children from seeing harmful content.

The most concerning aspect of the UK’s approach is how it provides democratic legitimacy for authoritarian surveillance tactics worldwide. When established democracies like the UK implement mass surveillance, encryption backdoors, and content censorship under child protection rhetoric, they provide justification templates for genuinely authoritarian regimes seeking to suppress dissent and monitor citizens.

The UK’s legislation coincides with similar approaches globally, suggesting coordinated international movement toward digital authoritarianism disguised as child protection.

Key Resources:

• UK Parliamentary Petition – Official petition to repeal
• Government Response – Official implementation guidance
• Electronic Frontier Foundation Analysis – Digital rights assessment
• Ofcom Implementation Guidance – Regulatory framework details
• TechRadar VPN Surge Report – Detailed analysis
• Free Speech Union Documentation – Content censorship evidence
• Aardwolf Security – Cybersecurity analysis and penetration testing

Citations:

• No, The UK’s Online Safety Act Doesn’t Make Children Safer Online | Techdirt
• Navigating the UK Online Safety Act | FTI Consulting
• UK Online Safety Act: how to comply as illegal harms duties take effect