The Online Safety Act: Expanded Cyber Risk For Business and Individuals 

Quick Summary 

• The UK’s new age-verification rules aim to protect children but risk exposing everyone’s privacy. 
• Third-party verification providers are poorly regulated and could mishandle sensitive data. 
• VPNs will help users bypass checks, often with unsafe free services that create new dangers. 
• Businesses face added cyber risks if employees use insecure tools on work devices. 
• Metadata-based systems, like zero-knowledge proofs or secure digital ID wallets, are safer alternatives. 

Why a well-meaning law is ultimately flawed 

The UK’s Online Safety Act now requires users to prove their age before accessing online adult content. The intention is to stop children from seeing harmful material, and that’s pretty hard to argue against. Young minds are still developing, and exposure to extreme sexual material or other harmful content can have lasting consequences.  

Parents cannot fully police their children’s online behaviour, and many will welcome anything that might prevent their kids from being able to have unmonitored access to adult material. 

Let’s be clear, we’re not against forms of online safety. But the method matters.  

This law hands age-verification duties to poorly regulated third parties. Users may have to upload copies of passports, driving licences or other personal documents to companies they’ve never heard of. That’s not just inconvenient; it’s a time bomb waiting to hit individuals and businesses alike. 

The privacy problem with third-party verifiers 

When you give a company your ID, you’re trusting them with your most sensitive data. Under GDPR and other privacy laws, they must protect it, but legal compliance is not the same as true safety. 

A provider could store far more than just a birthdate, such as your name, ID number and the site you visited. GDPR law states they must remove copies of IDs once they have served their legal purpose, but who is checking that this is happening? Imagine a database that linked “Joe Bloggs” with “Pornhub” and could prove it with an ID upload. A breach could destroy reputations, relationships and careers. 

Once a serious data breach happens, slapping a company with a GDPR-related fine doesn’t reverse the damage that has been done. 

The UK’s free-market approach to verification may speed rollout, but it also invites small, inexperienced startups into the sector. Cost efficiency may win out over security best practice, and in the realm of sexual content, the stakes are far higher than in ordinary e-commerce. 

VPNs: A loophole with very real dangers 

Even the best verification system is useless if it can be bypassed. In this case, all it takes is a VPN. 

Almost anyone with half an understanding of modern technology knows how to install VPN apps. But not all VPNs are equal. Paid services from reputable companies tend to respect privacy. Free or low-cost VPNs often don’t; some have links to state-backed operators, including the Chinese government, and have been caught tracking user activity. 

According to the Tech Transparency Project, free VPNs available in popular app stores could log and sell browsing data, inject malware, or leave devices open to hacking. For businesses, an employee using a compromised VPN on a company device could unintentionally hand over logins, documents and customer records to criminals. 

The risk of blackmail, ransom and mental health concerns 

We’ve already seen tragic cases of teen suicide following intimate image leaks, such as the case reported by The Guardian. 

If a poorly secured age-verification provider is hacked, and someone’s browsing history or account details are exposed, the personal toll could be devastating. Blackmail, shame and mental health crises are very real consequences. 

For businesses, if an employee is targeted with extortion techniques. That employee becomes a cyber and financial risk to your organisation. 

Scope creep and puritanical potential 

Once a system is in place, it can expand. The Wikimedia Foundation has already challenged Ofcom over the possibility of Wikipedia being classified as needing age checks, despite it not being an adult site.  

This shows how the framework could ‘creep’ into areas far beyond the original intent, shaping the internet into something more restrictive and puritanical than many would expect. 

Could this creep in scope ever reach the door of your organisation? 

Rights and ethics for adults 

There’s also an ethical point. Adults in the UK have the legal right to view adult material. They should be able to exercise that right without being personally identified or tracked while doing so. Privacy isn’t a loophole; it’s a fundamental part of digital rights.  

I can already hear the voices arguing that the rights of minors to be protected are worth the costs and no system is perfect. That’s a fair assessment, but better technology does exist! 

Better technology exists 

Other regions, such as the EU, are exploring privacy-preserving approaches. 

• Zero-knowledge proofs can confirm a user is over a certain age without revealing their name or any other identifying information. Simply by using metadata to predict the age of a user based on various online behaviours. 
• The EU’s upcoming digital identity wallet will let users prove their age with cryptographic verification, again without handing over personal documents to multiple sites. 

Any system that uses metadata to verify age, without passing personal data to third parties, is far less risky than the UK’s current model. 

Business impact: a cybersecurity multiplier 

The new law isn’t just a personal privacy concern. It also opens fresh security risks for organisations: 

• Employees may use unsafe VPNs on work devices, exposing company data. 
• If employee names and adult sites were leaked together, it could cause reputational damage at scale. 
• Blackmail attempts could lead to financial fraud if targeted staff have access to company funds. 

How can organisations reduce their risk factors? 

To reduce the risk of these knock-on threats, businesses should: 

• Restrict the ability to install apps (including VPNs) on work devices. 
• Separate personal and professional devices wherever possible. 
• Educate staff about safe VPN choices and the dangers of free services. 
• Monitor for compromised accounts linked to employee credentials. 
• Update incident response plans to include scenarios involving blackmail or reputational threats. 

Need help assessing your organisation’s cyber resilience? 

Speak to Trustco, your trusted technology adviser. For expert guidance on safeguarding data, devices and people in a changing online safety landscape.