惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
雷峰网
雷峰网
罗磊的独立博客
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
量子位
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
人人都是产品经理
人人都是产品经理
GbyAI
GbyAI
Cisco Talos Blog
Cisco Talos Blog
Engineering at Meta
Engineering at Meta
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
A
About on SuperTechFans
D
Darknet – Hacking Tools, Hacker News & Cyber Security
The Cloudflare Blog
Know Your Adversary
Know Your Adversary
T
Threat Research - Cisco Blogs
Spread Privacy
Spread Privacy
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
爱范儿
爱范儿
U
Unit 42
Security Latest
Security Latest
M
MIT News - Artificial intelligence
月光博客
月光博客
Scott Helme
Scott Helme
G
Google Developers Blog
有赞技术团队
有赞技术团队
T
Tor Project blog
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
博客园 - Franky
H
Hackread – Cybersecurity News, Data Breaches, AI and More
aimingoo的专栏
aimingoo的专栏
The GitHub Blog
The GitHub Blog
V
V2EX
B
Blog
Apple Machine Learning Research
Apple Machine Learning Research
S
Securelist
博客园 - 三生石上(FineUI控件)
Blog — PlanetScale
Blog — PlanetScale
TaoSecurity Blog
TaoSecurity Blog
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
腾讯CDC
D
Docker
Google Online Security Blog
Google Online Security Blog

Open Rights Group

Wanted: Government to fix the ICO Joint Letter: Protect VPNs Open letter for an investigation into the ICO over eVisas Civil society organisations call for ICO to be investigated over eVisas The end is nigh for US data transfers How AI in asylum decision-making drives failure and cost Dear Andy, we need a complete reset on digital policy John Edwards resignation is opportunity to appoint a regulator with teeth AI in Asylum Decisions: Transparency and Accountability Failures Stop Killing the Internet: New global movement launches MPs urged to vote for a Digital Sovereignty strategy The social media policy ratchet Starmer’s social media ban fails to address root causes of online harms This refugee week, take courage! The rise of copyright trolling Growing up in an online world: ORG Consultation Response Reset the ICO The ICO isn’t doing its job – why the data watchdog needs an overhaul The ICO isn’t doing its job – why the data watchdog needs to be reset ORG response to ICO call for views on our approach to regulating online advertising ORG response to Consultation on the ICO’s approach to data protection complaint handling Companies and civil society warn that UK is undermining open web Papers Please! MPs back mass online digital ID checkpoints MPs call for publication of secret documents that outline chronic risks from UK’s dependence on Big Tech New report: UK needs digital sovereignty strategy to address threats from reliance on big tech The case for Digital Sovereignty and the Digital Commons After the LA Court verdict, the UK must disrupt surveillance capitalism business models 13 year olds could be compelled to use unregulated age verification Children’s Wellbeing and Schools Bill: Analysis of Amendment 38b ICO must investigate Reform ‘competition’ for data protection breaches Home Office use of AI in asylum cases likely to be unlawful, legal opinion finds Legal Opinion: The use of Artificial Intelligence tools in asylum cases MPs give ministers powers to restrict entire Internet Board Election Results Palestine Action ruling: Human rights organisations call for Ofcom to issue guidance on content takedowns
Break privacy to make privacy? Age verification isn’t the answer
17 Mar 2026 Mariano delli Santi · 2026-03-17 · via Open Rights Group

Digital Privacy

The Information Commissioner’s Office (ICO) recently published an open letter to online platforms providers, calling them “to strengthen age assurance measures to ensure young children are not accessing services that are not designed for them”.

The letter comes after a £14m fine issued against Reddit for its reliance on self-declaratory age checks. According to the ICO, children under the age of 13 would have been able to provide false information when self-declaring their age — thus, Reddit would have processed their data unlawfully. 

This decision is concerning on several fronts. The ICO are actively encouraging platforms to adopt more invasive verification technologies, at a time when privacy violations and malpractice are starting to emerge within the industry. Further, the ICO characterisation of age assurance technology as “advanced” and “readily available” comes as hundreds of computer scientists call for a moratorium on the roll out of this technology and warn about the technical limitations and infeasibility of this approach.

In the meanwhile, Parliament is getting ready to approve proposals to further restrict children’s access to the Internet, informed by unrealistic expectations over the effectiveness of age-gating. As dysfunctional legislative and regulatory policies converge, they risk fuelling a never-ending demand for more layers of Internet control.

Age verification is being weaponised


The Online Safety Act requires online service providers to introduce age checks, and to prevent children from accessing certain kind of content (also known as age-gating). Contrary to the age checks we are familiar with in the offline world, online these are a digital identity process that are often invasive of our privacy. If users are not allowed to self-declare their age, checks will be performed by:

  • Scanning your face, or other biometric data, to guess your age; or
  • Tracking and profiling your behaviour on a given online platform, and sharing these profiles with commercial data brokers, to guess who you are and how old are you;
  • Asking you to submit your identity documents.

As online service providers started to implement these checks in the UK, significant privacy harms started to emerge. Already last year, Open Rights Group sounded the alarm about the incentives the Online Safety Act creates for adopting cheap technology providers, at the expenses of users’ privacy and security. We also drew attention to Grindr, Bluesky, and Reddit adopting providers whose general terms and conditions state they can repurpose data they collect for marketing and advertising purposes.

More recently, Discord carried out age checks by asking users to submit a proof of identification, resulting in a data breach affecting 70.000 users’ government issued IDs. Afterwards, Discord contracted Persona, an age verification provider which is being funded by Peter Thiel, a far-right investor and Palantir’s founder.

If this wasn’t enough, security researchers were able to hack Persona’s age checks systems, and gain access to its code on a US government authorised server. Their analysis revealed that Persona was not only estimating users’ age, but also used face scans to carry “269 individual verification checks”. These included screening users “against 14 categories of adverse media from terrorism to espionage, and tags reports with codenames from active intelligence programs”.

UPDATE (30/03/2026): Persona issued a “post-incident review” in response to the researchers’ claim, which you can read here.

None of the practices outlined above are legal under UK data protection law. Age assurance providers are not allowed to use age check data beyond its purpose, be it to selling advertising or to surreptitiously check if your child is a terrorist. You would expect the ICO to be investigating and slapping fines against these kind of abuses. Their priorities, however, seem to lie elsewhere.

The ICO is missing the child protection target

The ICO issued a £14m fine to Reddit for a number of failures, including “checking the age of users accessing its platform”. Underpinning this fine, is a recent open letter to online platforms, as well as the December 2025 Children’s Code Strategy progress update. In short, the ICO are leveraging monetary penalties to force online platforms to make “use of current viable technologies – examples include but are not limited to, facial age estimation, digital ID, or one-time photo matching – when enforcing minimum age requirements”. The rationale of this approach appears problematic on many fronts.

Lacking meaningful regulatory intervention against abuses, the ICO request will inevitably favour the adoption of age assurance providers that trump privacy standards to lower costs and increase their own profit. Indeed, providers like Persona (used by Reddit and Discord) and Facetec (used by Grindr) already reuse data they collect through age verification services for advertising purposes. Their deployment has gone unchallenged by the ICO, a posture that benefits the commercial interests of creepy age assurance providers but does little to protect our privacy.

UPDATE (30/03/2026): Persona’s CEO has issued some public rebuttals on this topic, available here and here.

On top of that, the ICO strategy focuses heavily on the implementation of “effective age gates”, thus adopting a reductionist interpretation of its legal mandate. Data protection law is concerned about protecting personal data, not about restricting children’s access to certain content. As a matter of fact, the UK GDPR clarifies that specific protection for children’s use of data apply, in particular, “to the use of personal data of children for the purposes of marketing or creating personality or user profiles”. Even within the narrow scope of age assurance, the ICO cannot prioritise technological adoption by closing an eye on surreptitious and unlawful uses of age checks data.

If you believe that age gating is important to protect children online, you would want the ICO to make sure the age verification industry does not weaponise age-checks mandates to violate our online privacy. By failing to play their part, the ICO is instead contributing to a growing sense of unease and loss of trust over age assurance policies.

Racing to an age-gated hell

Another important misconception which underpins the push against self-declaration is the notion that what the ICO characterise as “robust” age assurance checks would be harder to circumvent, and thus more effective. However, children have been able to bypass face scans by drawing a moustache on their face, or by using their parent’s online accounts. Likewise, age gates can be circumvented by using Virtual Private Networks (VPNs), by buying or borrowing accounts’ credentials, or by using deepfakes or AI-generated profiles.

Contrary to the ICO assessment, asking online providers to adopt more invasive age checks will not prevent motivated users from bypassing them. Circumvention is trivial not because of only platforms’ age verification tools of choice, but due to the open nature and structure of the Internet itself. Even in China, where the State spares no expenses to control and surveil Internet use, children learnt how to bypass restrictions in order to keep playing video games. As outlined in an open letter signed by 400+ information security researchers and academics, effective age verification would require a gargantuan digital identity infrastructure deployed at scale, and laws to enforce its use globally.

It is, therefore, unrealistic to expect that circumvention can be stopped by technical means. These same expectations are informing ongoing political attempts to introduce more age checks, supposedly to make age-gating more difficult to bypass. As proposals already being discussed in parliament show, age-gating could soon apply to VPNs. These measures are, however, bound to fail just like the existing ones, fuelling a vicious cycle where politicians will attempt to fix failing policies by introducing more layers of surveillance and content restrictions, over and over again.

Indeed, by adopting the ICO own logic, VPNs would have to scan their users’ faces, an odd practice for services which are meant to protect from online tracking, surveillance and censorship. Once users start bypassing VPN age-gates, pressure will build to extend them to email services, also the encrypted ones, to prevent children from using an adult’s email to register. Or, Internet Service Providers may be asked to monitor user behaviour to detect if someone is trying to use file-sharing services to download age restricted software or content.

UK data protection law should provide checks and balances against an arms race towards pervasive Internet surveillance, but the ICO’s posture only adds fuel to the fire.

The ICO is doing politics, not enforcement

A certain degree of empathy is due for regulators like the ICO, and their tasks of navigating the inner tension between online safety legislation that requires mass surveillance and UK data protection law, that protects us against it. However, the ICO is actively making this worse by pushing online providers to quickly adopt age verification services while disregarding compliance failures within the industry. It does not need to be this way.

The ICO could enforce against age verification providers, like the Spanish data protection watchdog recently did by fining Yoti, the erstwhile poster-child of privacy-friendly age verification tech, €950,000. By stopping age verification providers from exploiting data they collect for advertising or other spurious purposes, the ICO could protect the public and address widespread concerns about age verification. By keeping data practices in check, the ICO would also make it easier for online platform to adopt this technology without unduly trumping the privacy of their users.

Such a posture would reflect the ICO statutory obligations under the law, but it would also displease the government and the political bandwagon that supports age verification at all costs. Given the ICO’s past record, such a reckoning appears unlikely.

Indeed, the ICO recently signed a Memorandum of Understanding with the government, which Ministers characterised as a shift “to a relationship of partnership rather than opposition”. Even before the MoU, the ICO have frequently shied away from asserting their own independence and regulatory integrity, as shown by the decision not to investigate the Ministry of Defence for the Afghan data breach, or the initiative to deregulate cookie consent requirements to support the government’s growth agenda.

We need a regulator with the independence and willpower to protect us, and stand up against the government when they get it wrong. This is why Open Rights Group has been asking the Select Committee for Science, Innovation and Technology to open a formal inquiry into the performance of the ICO. We are also wrote to the Department of Science, Innovation and Technology to regulate companies performing digital identity checks to ascertain people’s age, but months later have not had any response.

Fix the Online Safety Act

Related Blogs

Digital Privacy

11 Feb 2026 By Open Rights Group

To consent or pay?

If you live in the UK and have a Facebook or Instagram account, you have probably received a message when you’ve logged in asking you if you “Want to subscribe or continue to use our Products for free with ads?

Find Out More

Digital Privacy

14 Jan 2026 By Jim Killock

Techno-Permacrisis

Musk’s latest venture, image generation in Grok that until Wednesday lacked sufficient guardrails to prevent the easy production of non-consensual sexual images and even child abuse images, provoked an Ofcom investigation and further EU Commission action as well as the promise of UK emergency legislation against apps that provide such images in less than a week.

Find Out More

Digital Privacy

18 Sep 2024 By Jim Killock

e-Visas: The Next Digital Windrush Scandal

Our report, “Hostile and Broken” released today, explains why e-Visas risk creating tens or hundreds of thousands of errors, with people potentially turned down for jobs, or unable to enter the country, as the result of electronic failures of the new online, real time re-checking inherent in the UK e-Visa scheme.

Find Out More

Digital Privacy

16 Jul 2024 By Mariano delli Santi

Meta Wants to Make Us its AI Guinea Pigs

Meta, the company that runs Facebook and Instagram, has announced plans to repurpose most of the personal data that they ever collected about you, to train their “artificial intelligence (AI) technologies” — without, of course, asking your permission to do so.

Find Out More

Digital Privacy

20 Mar 2024 By Mariano delli Santi

The ICO Must Toughen Up

As the House of Lords finally begins scrutiny of the UK data protection reform, Open Rights Group urges peers to support amendments that would strengthen the independence and effectiveness of the UK data protection authority, and bolster the public’s right of seeking a remedy against an infringement of their rights.

Find Out More

Digital Privacy

01 Aug 2013 By Jim Killock

Diane Abbott responds on web forum blocking

On a cycling forum, members who are rightly worried that their forum may be blocked by default filters, Skydancer posted a response he was given by Diane Abbott: I do not believe that the arrangements to protect children from hard core porn online will affect a forum to discuss cycling!

Find Out More

Digital Privacy

13 Jun 2013 By Jim Killock

Website filtering problems are a ‘load of cock’

The motion laid down by Labour says: That this House deplores the growth in child abuse images online; deeply regrets that up to one and a half million people have seen such images; notes with alarm the lack of resources available to the police to tackle this problem; further notes the correlation between viewing such images and further child abuse; notes with concern the Government’s failure to implement the recommendations of the Bailey Review and the Independent Parliamentary Inquiry into Online Child Protection on ensuring children’s safe access to the internet; and calls on the Government to set a timetable for the introduction of safe search as a default, effective age verification and splash page warnings and to bring forward legislative proposals to ensure these changes are speedily implemented.

Find Out More

Digital Privacy

26 Apr 2013 By Claudia Mateus

Digital Surveillance video

The Digital Surveillance report – to be launched at a public event on Monday – gives a history of surveillance policy, looks at the current state of the law, examines why technology poses a problem and offers alternative, more targeted and more accountable approaches.

Find Out More

Digital Privacy

28 May 2012 By Peter Bradwell

Reporting ‘over-blocking’ to mobile operators

Since we published our report ‘Mobile Internet censorship: what’s happening and what to do about it‘, jointly with LSE Media Policy project, a number of people have been in touch with us asking what to do if they discover their site is blocked incorrectly by mobile networks’ child protection filters.

Find Out More

Digital Privacy

23 Jan 2012 By Peter Bradwell

UK Mobile operators censor privacy tool ‘Tor’

Open Rights Group and Tor have established that UK mobile networks such as Vodafone, O2 and 3 are filtering UK users’ access to Tor’s primary website (meaning the HTTP version of the Tor Project website, rather than connections to the Tor network) on pre-paid contractless accounts.

Find Out More

Digital Privacy

01 Nov 2011 By Peter Bradwell

Joint letter to the Foreign Secretary

To coincide with the start of the London Conference on Cyberspace, eleven organisations and experts on freedom of expression and privacy online have today written to the Foreign Secretary stating that Britain’s desire to promote these ideals internationally is being hampered by domestic policy.

Find Out More

Digital Privacy

20 May 2010 By Jason Kitcat

Changing the way we vote

In the sixth of our series on the challenges facing the new government, Jason Kitcat looks at proposals for changes to the way our elections are run, including dangerous calls for e-voting.

Find Out More

Digital Privacy

17 Apr 2009 By Jim Killock

Wikipedia blocks Phorm

Wikipedia have announced that they are blocking Phorm as they consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.

Find Out More

Digital Privacy

17 Mar 2008 By Becky Hogge

Phorm update

It’s difficult to tell which of today’s developments the UK’s major ISPs should be more worried about – the fact that Sir Tim Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the Foundation for Information Policy Research (FIPR) have today written an open letter to the Information Commissioner, urging him to look at the legality of Phorm.

Find Out More

Digital Privacy

24 Oct 2007 By Jason Kitcat

Gould Review on Scottish Elections Published

The Electoral Commission and the separate review by Ron Gould that the Commission instituted have published their reports on the Scottish elections of May 2007 The Gould Review in particular identifies a number of important issues, many of which ORG addressed in our own report on the elections published this June.

Find Out More

Digital Privacy

03 Sep 2007 By Becky Hogge

Gordon Brown at the NCVO: e-Voting off the agenda?

In a speech to the National Council of Voluntary Organisations this morning, Gordon Brown announced he would be convening a Speaker’s conference on voting reform: Today I am proposing to the Speaker that he calls a conference to consider, against the backdrop of a decline in turnout, a number of important issues, such as electoral registration, weekend voting, and the representation of women and ethnic minorities in the House of Commons.

Find Out More

Digital Privacy

16 Jan 2007 By Michael Holloway

Taking the lid off e-voting

While the Department for Constitutional Affairs have left us in the dark with no news at all about the e-voting pilots due for May 2007, The Open Rights Group and FIPR have been hard at work.

Find Out More