The UK’s new age-gating rules are easy to bypass
125 comments
·July 26, 2025pr337h4m
Quarrel
> surrendering to a foreign government that has no jurisdiction over them is what's new
Many countries, including the US, claim jurisdiction if you are providing services to their citizens. Some claim jurisdiction if someone in that country sees your web page (ie you've now "published" it there).
You've been blissfully unaware, perhaps, but this has been a thing for a long time.
You have probably seen sites having sections of their TOS tailored specifically for Californian users- this is not that different.
I think the UK legislation here is hamfisted and very harmful, but the jurisdiction argument is nothing new.
pyman
Harmful in which way? Porn addiction is as harmful as gambling, tobacco and alcohol addiction.
High school students with phones at school are showing porn to their friends, even younger kids. Some schools have banned phones, but teens aged 12–17 can still access porn sites freely when they get home.
In my opinion, gambling sites and porn sites should always verify age, same goes for shops selling tobacco and alcohol.
piker
Classic case of Wolfenstein 3d being banned in Germany in the 90s rings a bell.
louthy
You don’t get to sidestep a country’s laws just because you happen to sit outside of the country. If you want to provide services to people within any country then you must obey their laws.
If you’re unwilling to accept this, then you must be extremely careful when you travel internationally or turn off access to that country altogether.
This is true for every country on Earth. This is the price of doing business internationally.
null
jlarocco
There's the possibility that some of the users of these sites voted for these laws and want the verification in place.
pyman
Millions of worried parents, perhaps? Parents who are worried about the negative effects of gambling, tobacco, alcohol, and porn?
null
ataru
The world-wide-web is becoming more and more only-your-country-web.
mytailorisrich
This is because nowadays everything has to be zero-risk and "over-lawyered."
We have seen the same with the GDPR and now also with the UK Internet Safety Act.
mid-kid
Unlike the UK Internet Safety Act, the GDPR is really easy to comply with for small independent websites. It was aimed at the big companies and companies unethically mining data, and it didn't do much outside of that scope.
pr337h4m
There is absolutely zero risk as long as you stay out of the UK. Even if you do travel to the UK, there is no practical risk for the foreseeable future.
mytailorisrich
And yet we're seeing websites panicking and blocking all UK visitors... which is my point.
Also, thinking that there might be a risk if you travel to the UK because your random website on the other side of the world does not comply with a specific UK law is rather overestimating your importance and the British authorities.
rcxdude
Mainly because, I think, these services are doing the calculation of the risk vs the proportion of users they have from the UK (already small) and that cannot figure out how to use a VPN (even smaller)
ndsipa_pomu
The GDPR is designed to protect citizen's right to privacy and prevent websites from just plundering and selling people's private information. We need more places to implement GDPR style laws to ensure that companies don't think that they own people's data.
bsenftner
Are people still thinking a face image can be used to verify age? That's absurd. Former globally leading facial recognition developer here, and the article lightly mentions using a face image and age verification face analysis - that's not age accurate at all. Ask many ethnicities with experience, "age verification" image analysis is so unreliable it is fraud used in this context.
FMecha
Conversely, people in the UK have mentioned that they looked old enough to purchase age-restricted items at physical stores under an "does they look over 25?" protocol and still asked for ID to purchase them.
t_a_mm_acq
Can you share more about this please? I work in the industry and would love to know more about your experience with this verification method.
bsenftner
Well, it's not really a verification method, it's the use of age estimation models in a computer vision sense. The problem with age estimation models is they are only better in statistically unreliable ways within controlled ethnic demographics. That word salad means that age recovery trained algorithms have a variance of accuracy that is difficult to reduce, and when successful is only successful on narrow classifications of ethnicity. Part of the issue is ethnicity carries meaningful changes in age representation. Asian, African and several other ethnicity show age later and significantly more subtle than others. Now add in the existence of large demographics of mixed ethnicity, and then add in the issue of the uncontrolled illumination age verification systems are expected to operate... and age verification computer vision is rendered kind of useless. Kind of a joke. Kind of leading one to think anyone trying to sell a solution here could be dumb or a fraud. Might be some new breakthrough, but could it?
t_a_mm_acq
I’m not sure - I think between the NIST tracks for age estimation and the work entities have done to gather large, diverse sample sets shows meaningful progress and perhaps real world usage.
Your points above are valid and real concerns, in addition to liveliness. There is work further to be done and improvements to be made. But it seems to me that they are solvable problems.
These datasets are getting granular, monolid vs non, 12+ different ethnicity sub groups and so forth.
Do you not think that with enough data it’s solvable?
rcxdude
I think it is convenient for the services and probably the regulators to pretend so.
solids
As expected, bureaucrats completely out of touch with current technology producing regulations that are out of touch with current technology
SXX
They know what they doing exactly.
But they now have a reason to require age and ID checks to buy VPN. Then ban payments to VPNs that don't follow said regulation.
You'll see.
michaelt
Well, it all depends if the politicians actually care if this works.
You see, this bill was passed in 2023, under a Conservative government; then a Labour government was elected in 2024, before the bill came into force.
A nice little time bomb, set by the outgoing government - impractical and illiberal, but labelled all over with 'children' and 'cyber-bullying' and 'violent pornography'
So if the Labour government keeps the legislation, they look like heavy-handed censors silencing LGBT voices and local hobby/community forums, yet if they repeal the legislation you can criticise them for wanting children to have access to violent porn.
A Labour politician who thought this was shitty legislation, but who didn't think going on record as a pro-pornography voice would help his or her re-election prospects, might be entirely happy for age checks to be easy to bypass.
vidarh
Labour, if anything, mainly had issue with the Online Safety Act not being strict enough, and Labour has already gotten itself massively unpopular with a range of LGBT groups and do not seem to care.
SXX
I really hope you are right. I'm not UK resident now, but I lived enough there, have family there and know enough about local politics to understand that when it's comes to privacy and freedoms there is very little difference between Conservative and Labour.
mr90210
Mullvad is quite ahead as they sell activation codes on scratch cards.
gruez
Banning in-store sales of VPN activation codes seems well within the ability of the British state to do, especially when they already banned bank/credit card payments.
TacticalCoder
> They know what they doing exactly.
They're already using the "online safety act" to silence people online.
They're super scared because a great many people have had enough. Crimes numbers, including rapes, are through the roof in the UK. And they want to silence anyone who wants to talk about criminality on the ultra rise.
The UK is on a very dark path. It's the country in the world with the most millionaires fleeing the country: mainstream media brainwash the people saying it's supposedly for tax reasons these millionaires are leaving.
But I live in a country where many millionaires and families have family offices and trusts and the tune is very different.
People are scared of what's going on. Both criminality and religious extremism are rising at a more than alarming rate. And not only is the government doing nothing about it, they're going after those denouncing the crimes.
People are now stabbed to death for their watch in London. A few days ago:
https://www.lbc.co.uk/crime/three-arrested-man-stabbed-death...
Leftists refuse to see it. They'll rationalize that that man was a capitalist oppressor for wearing a Rolex and that he provoked these people by wearing a $10 K watch. That he's the reason these killers were broke and forced to act evil. That they shouldn't get much jail time because now they'll surely be nice members of a high-trust society.
These people are precisely those who brought the Online Safety Act. But it's Orwellian and Orwellian talk: for what the Online Safety Act is really used for is to silence talk about crimes.
I'm in the EU: in a few years leftists shall probably have put a system in place where police shall come and knock on my door for my posts on HN.
vidarh
> Crimes numbers, including rapes, are through the roof in the UK
This is far-right propaganda.
https://www.macrotrends.net/global-metrics/countries/gbr/uni...
null
null
louthy
This is far right fear-mongering rhetoric. It’s the standard hatred of ethnic minorities whipped up by bigots. The UK is not on a “dark path”, that’s absolute nonsense. Nor do people live in fear. I assume you don’t actually live in the UK. Because none of your description is the UK I live in.
> “People are scared of what's going on. Both criminality and religious extremism are rising at a more than alarming rate.”
Crime is down and has been going down for 10 years. For “religious extremism” I’ll just read “I don’t like brown people”, because extremism is only really growing due to white supremacy groups.
> “they're going after those denouncing the crimes.”
No, they are not, they are going after those fomenting violence (literal riots). In one case leading to white supremacists trying to burn down a hotel with refugees in it.
Crime happens. It doesn’t mean one crime is a symptom of a wider problem. And breaking news: crime is committed by white people too. RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear. Nobody I know in the UK is scared or living in fear — that’s just agenda driven rhetoric.
Maybe get off twitter and/or the far-right manosphere and try changing your news sources for something more balanced.
badgersnake
This isn’t the Daily Mail comments section.
monooso
You greatly overestimate our legislators. Of course, they may react in the way you described, but I sincerely doubt we're witnessing some great master plan.
SXX
UK is literally the only country except for China that pushed to disable Apple E2E encryption country-wide. It doesn't matter how secure Avanced Data Protection is and how trustworthy is Apple. Just think on it.
Also UK had law for years that can land you in prison for not providing decryption keys for data that you supposedly encrypyted. It's not actively used, but it's there.
So nope, there plenty of UK politicians from both parties that will happily push something that will invade your privacy. And really no one who push against it.
SoftTalker
Indeed, the simplest explanation is that they are hearing from voting constituents that porn and other objectionable content is too easy for kids to get online, and want to be seen as "doing something about it."
Most parents don't want their kids looking at porn. While there are steps they can take to prevent it, they require some technical knowledge and are generally easy to get around. The easy availability of this content is what has changed. You used to have to go to a seedy bookstore, "adult" movie theatre, or video rental business to get it, and they wouldn't let kids in. Also you had to pay for it, and most kids don't have any money.
frogarden
I suspect it's more likely that there actually are a handful of politicians and influential people who do think and plan like that, who exploit the fact that most other politicians and influential people are quite ignorant and easy to lead around by their fear.
null
Aeolun
Is this hysteria about sex a new thing? I feel like I grew up in an age where it was pretty normal to see these things as soon as you were old enough to be interested in them.
cherryteastain
It's just iteration N of a series of power grabs to expand the panopticon of mass surveillance on the internet under the guise of 'but think about the children!!!'.
blitzar
Every since they stopped showing 16 year old girls topless in the UK daily newspapers (2004) things have been trending that way.
null
Yeul
Can't solve poverty, drug use, grooming gangs or knife crime.
Jigsy
What saddens me about the UK geoblock notices is not a single one of them refers to the UK as Airstrip One.
Yeul
IIRC the regime in 1984 produced porn for the proles. They had more sense than these middle class pricks from Somerset.
zigzag312
Wouldn't age verification without revealing identity be solved with a service that acts as an identity authority?
1) Site that needs to verify age generates a globally unique id, creates requested data array ["is_over_18"], valid_until property and hmac signature of this message.
2) Client forwards just the id and requested data array to identity authority. Identity authority returns the id, map of data {"is_over_18": true}, public key information, and signature of returned message.
3) Client returns original message with message received from identity authority to the site. Site verifies that id's and requested data match in both messages, original message authenticity via HMAC and signature of message from identity authority using public key cryptography.
User hasn't revealed any PII data besides "is_over_18" value to the site and identity authority doesn't know which site user is accessing.
Requirements: User registers and verifies identity at identity authority. Site trusts identity authority.
Limitations: Site could, behind the scenes, send the generated ID to the identity authority, informing it which site was accessed using this ID.
magicalhippo
EU is working on something like this[1] (got limited discussion here[2]).
I haven't looked into it very much, but at a glance it doesn't sound terrible. Here's the basic flow[3]:
- The User initiates an age verification process by enrolling with an Attestation Provider (AP), which collects the necessary evidence from authentic sources or trusted 3rd party private data sources.
- The AP generates a Proof of Age attestation and issues it to the Age Verification App Instance (AVI) of the User.
- The AVI presents the attestation to a Relying Party (RP) when attempting to access age-restricted services.
- The RP checks the validity of the attestation, referencing the trusted list to confirm the AP's authorisation.
So it uses an app on a mobile device as a proxy of sorts. They're also working on incorporating zero-knowledge proofs[4].
[1]: https://digital-strategy.ec.europa.eu/en/news/commission-mak...
[2]: https://news.ycombinator.com/item?id=44561797
[3]: https://ageverification.dev/Technical%20Specification/archit...
[4]: https://ageverification.dev/Technical%20Specification/archit...
zigzag312
Yeah, something like that. I wonder, if their zero-knowledge proof version prevents leaking of identity, if any service is sharing data with the other.
AnthonyMouse
You're making this far more complicated than it needs to be. It requires no cryptography more than a random number generator.
Create a service that generates a random token and then gives it to anyone who is over 18. Any service with any employee who is over 18 can get the token and then compare it to the one submitted by the client. Everyone uses the same token across every service and the token is only available to someone over 18.
The security isn't any worse than having user or service-specific tokens and the privacy is significantly better.
rcxdude
There's still privacy issues here: e.g. the service is generally still aware of what services the user is using that require verification. ZKP can eliminate this hole.
AnthonyMouse
> e.g. the service is generally still aware of what services the user is using that require verification
How? The token isn't specific to any user or service. The only information the ID provider gets is that you requested the token and the only thing the service verifying your age gets is the same token shared by everyone over 18.
zigzag312
Same token for multiple people would improve anonymity for sure.
But someone could share this token publicly and then everyone could have it.
AnthonyMouse
> But someone could share this token publicly and then everyone could have it.
How is this any different than using any other way of doing it? It's always the case that someone can provide their ID and let someone else use it.
Xelbair
Now make sure that only someone over 18 can generate token, and that token cannot be given to 3rd party for reuse.
AnthonyMouse
The first problem is easy: Write the token on the back of your ID when the government issues it to someone over 18.
The second problem is universally intractable. If you have the cooperation of someone over 18, the service will let you in and has no way of knowing that the person using it is a different person.
Brendinooo
I dunno, I was imagining much simpler ways before I clicked through. Or maybe easier ways. Having to buy something and then configure it is a real barrier.
tempodox
There is a sudden surge in face scanning of video game characters.
jayceedenton
Age limits on buying cigarettes are easily thwarted by finding a corner shop that needs the sale and will sell to kids. Height restrictions on fairground rides are easily thwarted by putting bits of wood in your shoes. None of this matters.
The point is that this kind of control will drastically reduce under 18s consuming content that they shouldn't. We don't need the all of society's controls to be flawless.
nottorp
Oh, if these rules would teach the under 18s to not be 'content consumers' as you seem to consider yourself, that would be great.
But I'm afraid they're only there to satisfy the puritans. The average shitty content that you 'consume' will still be fine.
thomascountz
Without co-opting the loaded notion of what we mean by "shouldn't," I do agree that, at a certain point, manipulating controls to feather through the margins and outliers has diminishing positive returns and increasing negative ones.
dns_snek
Should or shouldn't is a matter of opinion that I disagree with because it has no evidential basis. Downloading a free VPN isn't just doable, it's completely trivial in the privacy of your home and doesn't require any confrontation or risk unlike trying to buy alcohol or cigarettes illegally.
And that is before you consider that what you're ultimately doing, even if your blocking strategies were successful, is steering kids towards the darker markets where illegal and actually harmful content isn't removed and that don't care about your ID laws.
cherryteastain
> Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
rcxdude
A VPN is a hell of a lot easier to access then a corner shop that's willing to break the rules, and such rules on corner shops didn't exactly stop teenagers from finding porn before the internet
SoftTalker
For a kid, finding porn before the internet was significantly more difficult.
If you were old enough to pass for 18 yeah a newstand might sell you a magazine. Most would not if you were clearly younger. And you needed to pay for it. Most kids (especially young kids) don't have any money.
And then you had one magazine. Still photos. And it didn't show anything but naked bodies. No real sex, the hardcore stuff was only in adult bookstores.
It was virtually impossible, pre-internet, for an average kid to find a way to spend hours and hours looking at an endless stream of hardcore porn.
PUSH_AX
A technical advisory blunder, or overreach?
We can debate all day, but I feel very sad to be in the technology sector in the UK right now.
FirmwareBurner
>I feel very sad to be in the technology sector in the UK right now
Why? I feel more sad for the citizens the government is trying to surveil upon 1984 style.
meindnoch
When I was a teen, all the porn was behind paywalls. But it didn't stop us from accessing it via torrent sites and other file sharing tools.
null
JetSetIlly
According to the article, Ofcom are encouraging "parents to block or control VPN usage by their children to keep them from dodging the age checkers."
This might be stupidest advice I've ever heard. If parents aren't willing to block or control access to porn sites, there's even less chance of them blocking or controlling VPN usage. But if nothing else, it does show up this law for the nonsense that it is.
cdrini
Controlling VPN seems much easier, no? Since you have to pay for a VPN service, and I imagine most kids don't have a credit card to make arbitrary purchases independently, so it would have to bubble up to a parent.
vidarh
The fact that you think you need to pay for a VPN service is a good illustration of the problem with this.
There's a plethora of free VPN services operating outside the reach of UK authorities.
My sons friend circle all figured out how to use free VPN's at around 8-9 to bypass bans on gaming servers.
JetSetIlly
That's assuming the child is smart enough to only use a paid-for VPN. I can foresee a lot of children being suckered into using a dodgy VPN.
steveharman
Uptick in TOR usage?
The most disturbing thing about this saga is that websites that have no physical/legal/business presence in the UK are proactively geoblocking UK-origin IPs.
Censorious governments have always been a thing since the beginning of the internet. Websites (especially non-corporate ones like 4chan or R34) preemptively surrendering to a foreign government that has no jurisdiction over them is what's new.