Predictable: UKs Age Verification Trivially Defeated With VPNs

Age verification systems are a security nightmare that is easily defeated. The UK is proving that as users resort to VPNs.

Government mandated age verification systems suck. This isn’t news and hasn’t been for years. They leak people’s personal information, are highly vulnerable to getting hacked, are highly ineffective at their jobs and rely on junk science to bolster it’s “need”, and is just a cover for much more disturbing political motivations further down the road. It’s truly a situation with all downsides and no upsides.

One of the major problems of age verification is that it is easily defeated by anonymous tools widely available online today. One such technology is a Virtual Private Network (VPN). Simply put, if a website erects an age gate for a certain geographic location, a VPN can simply change that IP address for you to make it look like you are accessing it from a different location. This easily defeats the age gate, allowing the user to experience the open web once again. The response from supporters to this argument is basically that people are too stupid to understand how to operate a VPN, so that argument is defeated. Yes, supporters of age verification laws really are that stupid.

Yet, politician’s are forging ahead with their stupid plans, exercising the full might of their major in stupid engineering. This as they push ahead with these laws by ignoring all the problems and hoping that they all go away on their own. Obviously, just wishing the problems away is going to solve nothing, but certain politician’s are too stupid to understand that. This is made clear by them pushing ahead with these laws anyway.

Now, in the most predictable way possible, those problems are coming to fruition. The UK is quickly becoming a glowing example of this. Already, websites and services are implementing age verification as they surrender to the governments will. Both Reddit and Bluesky knowingly implemented this broken technology in a bid to appease the bully that is the UK government. This as the UK government orders these sites to wave a magic wand and make everything magically work. Reports are surfacing that the age verification process is being defeated in the most trivial way possible: VPNs. From Gizmodo:

Earlier this week, the United Kingdom’s age assurance requirement for sites that publish pornographic material went into effect, which has resulted in everything from Pornhub to Reddit and Discord displaying an age verification panel when users attempt to visit. There’s just one little problem. As The Verge notes, all it takes to defeat the age-gating is a VPN, and those aren’t hard to come by these days.

Here’s the deal: Ofcom, the UK’s telecom regulator, requires online platforms to verify the age of their users if they are accessing a site that either publishes or allows users to publish pornographic material. Previously, a simple click of an “I am over 18” button would get you in. Now, platforms are mandated to use a verification method that is “strong” and “highly effective.” A few of those acceptable methods include verifying with a credit card, uploading a photo ID, or submitting to a “facial age estimation” in which you upload a selfie so a machine can determine if you look old enough to pleasure yourself responsibly.

Those options vary from annoying to creepily intrusive, but there’s a little hitch in the plan: Currently, most platforms are determining a user’s location based on IP address. If you have an IP that places you in the UK, you have to verify. But if you don’t, you’re free to browse without interruption. And all you need to change your IP address is a VPN.

Ofcom seems aware of this very simple workaround. According to the BBC, the regulator has rules that make it illegal for platforms to host, share, or allow content that encourages people to use a VPN to bypass the age authentication page. It also encouraged parents to block or control VPN usage by their children to keep them from dodging the age checkers.

It seems that people are aware of this option. Google Trends shows that searches for the term “VPN” have skyrocketed in the UK since the age verification requirement went into effect.

Here’s the problem for sites that surrendered to these age gates: they are now open to liability under the law. The law requires platforms for implement an age gate that is “highly effective”. Obviously, there is no such thing as a “highly effective” age gate unless the website blocks the country entirely. This opens up the possibility for the government to accuse the platforms of not implementing something that was “highly effective” even though they are literally asking for the impossible. Anyone who tries to find something that works is doing nothing more than trying to carry out a fools errand.

What these platforms should have done in the first place is block the country entirely and say that they no longer operate in that country. That would avoid that liability altogether and allowed the platforms to implement a campaign to get lawmakers to rescind the law.

As is clearly evident with the Google trends note, the UK government is training more people to use privacy tools, making life much more difficult for them in the long run. People know how stupid this law is in the first place and why evading such blockades is in their interest regardless of how old they are. The only people who are going to get burned are the people who choose the most honest path possible and submit their personal information to a third party who is probably going to either sell that information to a third party or have their information leaked or hacked so third parties can start blackmailing them for money after. Age verification is only good at creating victims of the system.

I sincerely doubt this is going to be the last problem that crops up. The UK is going to find out that their age verification boat has more holes than Swiss cheese. You’re not going to plug all the holes and the law is going to do little more than continue to take on water before it sinks entirely. In the interim, it will be a never ending fight to deal with the obvious messes that will inevitably be created. Those who go along with this will, at one point or another, find out what a horrible mistake it was to just comply and hope things work themselves out on their own.

Drew Wilson on Mastodon, Twitter and Facebook.