Well, well, well. The “age assurance” part of the UK’s Online Safety Act has finally gone into effect, with its age checking requirements kicking in a week and a half ago. And what do you know? It’s turned out to be exactly the privacy-invading, freedom-crushing, technically unworkable disaster that everyone with half a brain predicted it would be.

Let’s start with the most obvious sign that this law is working exactly as poorly as critics warned: VPN usage in the UK has absolutely exploded. Proton VPN reported an 1,800% spike in UK sign-ups. Five of the top ten free apps on Apple’s App Store in the UK are VPNs. When your “child safety” law’s primary achievement is teaching kids how to use VPNs to circumvent it, maybe you’ve missed the mark just a tad.

But the real kicker is what content is now being gatekept behind invasive age verification systems. Users in the UK now need to submit a selfie or government ID to access:

Reddit communities about stopping drinking and smoking, periods, craft beers, and sexual assault support, not to mention documentation of warSpotify for music videos tagged as 18+War footage and protest videos on XWikipedia is threatening to limit access in the UK (while actively challenging the law)

Yes, you read that right. A law supposedly designed to protect children now requires victims of sexual assault to submit government IDs to access support communities. People struggling with addiction must undergo facial recognition scans to find help quitting drinking or smoking. The UK government has somehow concluded that access to basic health information and peer support networks poses such a grave threat to minors that it justifies creating a comprehensive surveillance infrastructure around it.

The Wikipedia situation is particularly telling. When an educational encyclopedia that hosts over seven million articles and sees five edits per second calls your law unworkable, maybe it’s time to reconsider?

And this is all after a bunch of other smaller websites and forums shut down earlier this year when other parts of the law went into effect.

This is exactly what happens when you regulate the internet as if it’s all just Facebook and Google. The tech giants can absorb the compliance costs, but everyone else gets crushed.

The only websites with the financial capacity to work around the government’s new regulations are the ones causing the problems in the first place. And now Meta, which already has a monopoly on a number of near-essential online activities (from local sales to university group chats), is reaping the benefits. Thousands of hamster enthusiasts are likely flooding onto Instagram as we speak, ready to be redirected into black holes of miscellaneous “content” they never asked for in the first place. The exact nature of this content is of no corporate concern. The only service rendered is to advertisers, whose pleas are helpfully interspersed between posts and videos. The people running the platform do not care what you logged on for and whether you got it.

Compare this to the beleaguered Hamster Forum. No venture capital is involved – the website was run by passionate hobbyists. They clubbed together with the express purpose of disseminating rodent intel to the people who searched for it. If its users really do move over to Instagram, they’ll find their photos and advice trapped behind a login wall, where they will only benefit other net contributors to Zuckerberg’s growing empire. Their pets will make Meta richer – cute videos are an asset if you’re trying to suck consumers into an infinite behavioural loop that only benefits you. Perhaps most unfairly, the forum’s hamster owners will have to live on the terms of people who are totally indifferent to the value of their time and knowledge.

The age verification process itself is a privacy nightmare wrapped in security theater. Users are being asked to upload selfies that get run through facial recognition algorithms, or hand over copies of their government-issued IDs to third-party companies. The facial recognition systems are so poorly implemented that people are easily fooling them with screenshots from video games—literally using images from the video game Death Stranding. This isn’t just embarrassing, it reveals the fundamental security flaw at the heart of the entire system. If these verification methods can’t distinguish between a real person and a video game character, what confidence should we have in their ability to protect the sensitive biometric data they’re collecting?

But here’s the thing: even when these systems “work,” they’re creating massive honeypots of personal data. As we’ve seen repeatedly, companies collecting biometric data and ID verification inevitably get breached, and suddenly intimate details about people’s online activity become public. Just ask the users of Tea, a women’s dating safety app that recently exposed thousands of users’ verification selfies after requiring facial recognition for “safety.”

The UK government’s response to widespread VPN usage has been predictably authoritarian. First, they insisted nothing would change:

“The Government has no plans to repeal the Online Safety Act, and is working closely with Ofcom to implement the Act as quickly and effectively as possible to enable UK users to benefit from its protections.”

But then, Tech Secretary Peter Kyle deployed the classic authoritarian playbook: dismissing all criticism as support for child predators. This isn’t just intellectually dishonest—it’s a deliberate attempt to shut down legitimate policy debate by smearing critics as complicit in child abuse. It’s particularly galling given that the law Kyle is defending will do absolutely nothing to stop actual predators, who will simply migrate to unregulated platforms or use the same VPNs that law-abiding citizens are now flocking to.

Let’s be crystal clear about what this law actually accomplishes: It makes it harder for adults to access perfectly legal (and often helpful) information and services. It forces people to create detailed trails of their online activity linked to their real identities. It drives users toward less secure platforms and services. It destroys small online communities that can’t afford compliance costs. And it teaches an entire generation that bypassing government surveillance is a basic life skill.

Meanwhile, the actual harms it purports to address? Those remain entirely unaddressed. Predators will simply move to unregulated platforms, encrypted messaging, or services that don’t comply. Or they’ll just use VPNs. The law creates the illusion of safety while actually making everyone less secure.

This is what happens when politicians decide to regulate technology they don’t understand, targeting problems they can’t define, with solutions that don’t work. The UK has managed to create a law so poorly designed that it simultaneously violates privacy, restricts freedom, harms small businesses, and completely fails at its stated goal of protecting children.

And all of this was predictable. Hell, it was predicted. Civil society groups, activists, legal experts, all warned of these results and were dismissed by the likes of Peter Kyle as supporting child predators.

Yet every criticism, every warning, every prediction about this law’s failures has come to pass within days of implementation. The only question now is how long it will take for the UK government to admit what everyone else already knows: the Online Safety Act is an unmitigated disaster that makes the internet less safe for everyone.

A petition set up on the UK government’s website demanding a repeal of the entire OSA received many hundreds of thousands of signatures within days. The government has already brushed it off with more nonsense, promising that the enforcer of the law, Ofcom, “will take a sensible approach to enforcement with smaller services that present low risk to UK users, only taking action where it is proportionate and appropriate, and will focus on cases where the risk and impact of harm is highest.”

But that’s a bunch of vague nonsense that doesn’t take into account that no platform wants to be on the receiving end of such an investigation, and thus will take these overly aggressive steps to avoid scrutiny.

The whole thing is a mess and yet another embarrassment for the UK. And they were all warned about it, while insisting these concerns were exaggerations.

But this isn’t just about the UK—it’s a cautionary tale for every democracy grappling with how to regulate the internet. The OSA proves that when politicians prioritize looking tough over actually solving problems, the result is legislation that harms everyone it claims to protect while empowering the very forces it claims to constrain.

What makes this particularly tragic is that there were genuine alternatives. Real child safety measures—better funding for mental health support, improved education programs, stronger privacy protections that don’t require mass surveillance—were all on the table. Instead, the UK chose the path that maximizes government control while minimizing actual safety.

The rest of the world should take note.

From Techdirt via this RSS feed