
























The Information Commissioner’s Office (ICO) recently published an open letter to online platforms providers, calling them “to strengthen age assurance measures to ensure young children are not accessing services that are not designed for them”.
The letter comes after a £14m fine issued against Reddit for its reliance on self-declaratory age checks. According to the ICO, children under the age of 13 would have been able to provide false information when self-declaring their age — thus, Reddit would have processed their data unlawfully.
This decision is concerning on several fronts. The ICO are actively encouraging platforms to adopt more invasive verification technologies, at a time when privacy violations and malpractice are starting to emerge within the industry. Further, the ICO characterisation of age assurance technology as “advanced” and “readily available” comes as hundreds of computer scientists call for a moratorium on the roll out of this technology and warn about the technical limitations and infeasibility of this approach.
In the meanwhile, Parliament is getting ready to approve proposals to further restrict children’s access to the Internet, informed by unrealistic expectations over the effectiveness of age-gating. As dysfunctional legislative and regulatory policies converge, they risk fuelling a never-ending demand for more layers of Internet control.
The Online Safety Act requires online service providers to introduce age checks, and to prevent children from accessing certain kind of content (also known as age-gating). Contrary to the age checks we are familiar with in the offline world, online these are a digital identity process that are often invasive of our privacy. If users are not allowed to self-declare their age, checks will be performed by:
As online service providers started to implement these checks in the UK, significant privacy harms started to emerge. Already last year, Open Rights Group sounded the alarm about the incentives the Online Safety Act creates for adopting cheap technology providers, at the expenses of users’ privacy and security. We also drew attention to Grindr, Bluesky, and Reddit adopting providers whose general terms and conditions state they can repurpose data they collect for marketing and advertising purposes.
More recently, Discord carried out age checks by asking users to submit a proof of identification, resulting in a data breach affecting 70.000 users’ government issued IDs. Afterwards, Discord contracted Persona, an age verification provider which is being funded by Peter Thiel, a far-right investor and Palantir’s founder.
If this wasn’t enough, security researchers were able to hack Persona’s age checks systems, and gain access to its code on a US government authorised server. Their analysis revealed that Persona was not only estimating users’ age, but also used face scans to carry “269 individual verification checks”. These included screening users “against 14 categories of adverse media from terrorism to espionage, and tags reports with codenames from active intelligence programs”.
UPDATE (30/03/2026): Persona issued a “post-incident review” in response to the researchers’ claim, which you can read here.
None of the practices outlined above are legal under UK data protection law. Age assurance providers are not allowed to use age check data beyond its purpose, be it to selling advertising or to surreptitiously check if your child is a terrorist. You would expect the ICO to be investigating and slapping fines against these kind of abuses. Their priorities, however, seem to lie elsewhere.
The ICO issued a £14m fine to Reddit for a number of failures, including “checking the age of users accessing its platform”. Underpinning this fine, is a recent open letter to online platforms, as well as the December 2025 Children’s Code Strategy progress update. In short, the ICO are leveraging monetary penalties to force online platforms to make “use of current viable technologies – examples include but are not limited to, facial age estimation, digital ID, or one-time photo matching – when enforcing minimum age requirements”. The rationale of this approach appears problematic on many fronts.
Lacking meaningful regulatory intervention against abuses, the ICO request will inevitably favour the adoption of age assurance providers that trump privacy standards to lower costs and increase their own profit. Indeed, providers like Persona (used by Reddit and Discord) and Facetec (used by Grindr) already reuse data they collect through age verification services for advertising purposes. Their deployment has gone unchallenged by the ICO, a posture that benefits the commercial interests of creepy age assurance providers but does little to protect our privacy.
UPDATE (30/03/2026): Persona’s CEO has issued some public rebuttals on this topic, available here and here.
On top of that, the ICO strategy focuses heavily on the implementation of “effective age gates”, thus adopting a reductionist interpretation of its legal mandate. Data protection law is concerned about protecting personal data, not about restricting children’s access to certain content. As a matter of fact, the UK GDPR clarifies that specific protection for children’s use of data apply, in particular, “to the use of personal data of children for the purposes of marketing or creating personality or user profiles”. Even within the narrow scope of age assurance, the ICO cannot prioritise technological adoption by closing an eye on surreptitious and unlawful uses of age checks data.
If you believe that age gating is important to protect children online, you would want the ICO to make sure the age verification industry does not weaponise age-checks mandates to violate our online privacy. By failing to play their part, the ICO is instead contributing to a growing sense of unease and loss of trust over age assurance policies.
Another important misconception which underpins the push against self-declaration is the notion that what the ICO characterise as “robust” age assurance checks would be harder to circumvent, and thus more effective. However, children have been able to bypass face scans by drawing a moustache on their face, or by using their parent’s online accounts. Likewise, age gates can be circumvented by using Virtual Private Networks (VPNs), by buying or borrowing accounts’ credentials, or by using deepfakes or AI-generated profiles.
Contrary to the ICO assessment, asking online providers to adopt more invasive age checks will not prevent motivated users from bypassing them. Circumvention is trivial not because of only platforms’ age verification tools of choice, but due to the open nature and structure of the Internet itself. Even in China, where the State spares no expenses to control and surveil Internet use, children learnt how to bypass restrictions in order to keep playing video games. As outlined in an open letter signed by 400+ information security researchers and academics, effective age verification would require a gargantuan digital identity infrastructure deployed at scale, and laws to enforce its use globally.
It is, therefore, unrealistic to expect that circumvention can be stopped by technical means. These same expectations are informing ongoing political attempts to introduce more age checks, supposedly to make age-gating more difficult to bypass. As proposals already being discussed in parliament show, age-gating could soon apply to VPNs. These measures are, however, bound to fail just like the existing ones, fuelling a vicious cycle where politicians will attempt to fix failing policies by introducing more layers of surveillance and content restrictions, over and over again.
Indeed, by adopting the ICO own logic, VPNs would have to scan their users’ faces, an odd practice for services which are meant to protect from online tracking, surveillance and censorship. Once users start bypassing VPN age-gates, pressure will build to extend them to email services, also the encrypted ones, to prevent children from using an adult’s email to register. Or, Internet Service Providers may be asked to monitor user behaviour to detect if someone is trying to use file-sharing services to download age restricted software or content.
UK data protection law should provide checks and balances against an arms race towards pervasive Internet surveillance, but the ICO’s posture only adds fuel to the fire.
A certain degree of empathy is due for regulators like the ICO, and their tasks of navigating the inner tension between online safety legislation that requires mass surveillance and UK data protection law, that protects us against it. However, the ICO is actively making this worse by pushing online providers to quickly adopt age verification services while disregarding compliance failures within the industry. It does not need to be this way.
The ICO could enforce against age verification providers, like the Spanish data protection watchdog recently did by fining Yoti, the erstwhile poster-child of privacy-friendly age verification tech, €950,000. By stopping age verification providers from exploiting data they collect for advertising or other spurious purposes, the ICO could protect the public and address widespread concerns about age verification. By keeping data practices in check, the ICO would also make it easier for online platform to adopt this technology without unduly trumping the privacy of their users.
Such a posture would reflect the ICO statutory obligations under the law, but it would also displease the government and the political bandwagon that supports age verification at all costs. Given the ICO’s past record, such a reckoning appears unlikely.
Indeed, the ICO recently signed a Memorandum of Understanding with the government, which Ministers characterised as a shift “to a relationship of partnership rather than opposition”. Even before the MoU, the ICO have frequently shied away from asserting their own independence and regulatory integrity, as shown by the decision not to investigate the Ministry of Defence for the Afghan data breach, or the initiative to deregulate cookie consent requirements to support the government’s growth agenda.
We need a regulator with the independence and willpower to protect us, and stand up against the government when they get it wrong. This is why Open Rights Group has been asking the Select Committee for Science, Innovation and Technology to open a formal inquiry into the performance of the ICO. We are also wrote to the Department of Science, Innovation and Technology to regulate companies performing digital identity checks to ascertain people’s age, but months later have not had any response.

If you live in the UK and have a Facebook or Instagram account, you have probably received a message when you’ve logged in asking you if you “Want to subscribe or continue to use our Products for free with ads?
Musk’s latest venture, image generation in Grok that until Wednesday lacked sufficient guardrails to prevent the easy production of non-consensual sexual images and even child abuse images, provoked an Ofcom investigation and further EU Commission action as well as the promise of UK emergency legislation against apps that provide such images in less than a week.
Our report, “Hostile and Broken” released today, explains why e-Visas risk creating tens or hundreds of thousands of errors, with people potentially turned down for jobs, or unable to enter the country, as the result of electronic failures of the new online, real time re-checking inherent in the UK e-Visa scheme.
Meta, the company that runs Facebook and Instagram, has announced plans to repurpose most of the personal data that they ever collected about you, to train their “artificial intelligence (AI) technologies” — without, of course, asking your permission to do so.
As the House of Lords finally begins scrutiny of the UK data protection reform, Open Rights Group urges peers to support amendments that would strengthen the independence and effectiveness of the UK data protection authority, and bolster the public’s right of seeking a remedy against an infringement of their rights.
On a cycling forum, members who are rightly worried that their forum may be blocked by default filters, Skydancer posted a response he was given by Diane Abbott: I do not believe that the arrangements to protect children from hard core porn online will affect a forum to discuss cycling!
The motion laid down by Labour says: That this House deplores the growth in child abuse images online; deeply regrets that up to one and a half million people have seen such images; notes with alarm the lack of resources available to the police to tackle this problem; further notes the correlation between viewing such images and further child abuse; notes with concern the Government’s failure to implement the recommendations of the Bailey Review and the Independent Parliamentary Inquiry into Online Child Protection on ensuring children’s safe access to the internet; and calls on the Government to set a timetable for the introduction of safe search as a default, effective age verification and splash page warnings and to bring forward legislative proposals to ensure these changes are speedily implemented.
The Digital Surveillance report – to be launched at a public event on Monday – gives a history of surveillance policy, looks at the current state of the law, examines why technology poses a problem and offers alternative, more targeted and more accountable approaches.
Since we published our report ‘Mobile Internet censorship: what’s happening and what to do about it‘, jointly with LSE Media Policy project, a number of people have been in touch with us asking what to do if they discover their site is blocked incorrectly by mobile networks’ child protection filters.
Open Rights Group and Tor have established that UK mobile networks such as Vodafone, O2 and 3 are filtering UK users’ access to Tor’s primary website (meaning the HTTP version of the Tor Project website, rather than connections to the Tor network) on pre-paid contractless accounts.
To coincide with the start of the London Conference on Cyberspace, eleven organisations and experts on freedom of expression and privacy online have today written to the Foreign Secretary stating that Britain’s desire to promote these ideals internationally is being hampered by domestic policy.
In the sixth of our series on the challenges facing the new government, Jason Kitcat looks at proposals for changes to the way our elections are run, including dangerous calls for e-voting.
Wikipedia have announced that they are blocking Phorm as they consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.
It’s difficult to tell which of today’s developments the UK’s major ISPs should be more worried about – the fact that Sir Tim Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the Foundation for Information Policy Research (FIPR) have today written an open letter to the Information Commissioner, urging him to look at the legality of Phorm.
The Electoral Commission and the separate review by Ron Gould that the Commission instituted have published their reports on the Scottish elections of May 2007 The Gould Review in particular identifies a number of important issues, many of which ORG addressed in our own report on the elections published this June.
In a speech to the National Council of Voluntary Organisations this morning, Gordon Brown announced he would be convening a Speaker’s conference on voting reform: Today I am proposing to the Speaker that he calls a conference to consider, against the backdrop of a decline in turnout, a number of important issues, such as electoral registration, weekend voting, and the representation of women and ethnic minorities in the House of Commons.
While the Department for Constitutional Affairs have left us in the dark with no news at all about the e-voting pilots due for May 2007, The Open Rights Group and FIPR have been hard at work.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。