The Home Office runs two campaigns simultaneously. Stop! Think Fraud warns the public that sharing personal information online exposes them to identity theft. The Online Safety Act, enforced by the same department, makes sharing your identity documents with commercial websites a legal requirement.

Nobody in government appears to have noticed the contradiction, or they noticed and did not care.

This is not an option or a recommendation, it is a legal requirement, enforced by Ofcom, with fines of up to 10% of global revenue for platforms that fail to collect it. The government did not change its assessment of the risk and it did not solve the underlying security problems. It decided that the policy outcome it wanted was worth ignoring the danger it had spent years warning you about. The threat is identical, the advice has simply been reversed.

I want to be precise about what this law actually covers, because the public debate has not been.

You have heard this described by the government and the media as a social media ban for under-16s, but that is not what this is. It is mandatory ID verification for every adult in the UK to access the internet.

The Online Safety Act 2023 applies to any “user-to-user service”, any platform where content generated by one user can be encountered by another. The Children’s Wellbeing and Schools Act 2026 extends that further, requiring the government to impose age or functionality restrictions for all users under 16 across regulated social media platforms. Together, they do not describe a targeted intervention. They describe identity verification as a condition of internet access, for every adult in the country, with child protection used as the framing to avoid calling it what it is.

That definition is extremely broad. It captures social media, obviously. It also captures gaming platforms, discussion forums, community sites, storefronts with review sections, and spectator modes in video games. Ofcom estimates more than 100,000 websites fall within scope. Steam now requires a credit card to access mature content. Discord triggers compliance obligations simply by offering NSFW channels. Nexus Mods, a site where gamers download community-made modifications for video games, now requires UK users to submit a government ID or facial scan to access content tagged as adult.

Services that cannot afford to comply have a third option, they just geo-block the UK entirely, it is already happening. The internet available to UK residents is quietly becoming a different, smaller internet, not because content has been removed, but because the compliance cost of serving British users is no longer worth it.

There are legal exemptions, technically. A news site where readers can only comment on an article, not reply to each other, might qualify as a “limited functionality service.” That exemption disappears the moment users can respond to each other’s comments, which most modern platforms allow. Legal analysis raises this question directly and provides no clear answer. We will not know how courts interpret the boundary until someone is prosecuted and we have case law. Until then, 100,000 services are making compliance decisions based on their best guess, with existential consequences if they guess wrong. That is not governance. It is legislative theatre.

The mechanism chosen for enforcement is the specific problem.

The government is not building a verification system. It is demanding that commercial third parties build one, and mandating the public use it. Photo ID matching, facial age estimation, biometric scanning: the common factor is a private company receiving your identity data as a legal condition of platform access. The Online Safety Act specifies that age verification must be robust, but it places no meaningful security standard on the companies performing it, no data residency requirements, and no restrictions on those companies being acquired by foreign entities. A provider incorporated in London today can be headquartered in California tomorrow. The data moves with it, and the Act has nothing to say about that.

Those companies will tell you their systems are privacy-preserving by design. They will tell you data is not retained. Whilst this may be true of their stated architecture, it tells you nothing about the security of the infrastructure underneath it, nothing about what happens after an acquisition, and nothing about whether any of those claims have been independently audited against a standard with actual teeth.

The government has outsourced not just the implementation but the liability. When the breaches come, and they will, the government will point at the provider, the provider will point at its terms of service, and the people whose data was compromised will have no meaningful recourse. A breached password can be changed. A copy of your passport, driving licence, or home address, linked to a face scan linked to a verified social media identity cannot be unlinked. That record exists permanently, for every bad actor who acquires it now or in the future.

And the risk compounds. Every platform you verify with creates a new database entry. Each submission is a new point of failure. The same face scan submitted to five services does not create one risk five times over, it creates five risks that can be correlated against each other. The aggregate profile that emerges maps your identity across your entire online life. That is not just a data breach waiting to happen. It is a surveillance asset being built, one legal requirement at a time.

There are groups for whom this is not an abstract concern. It is a direct physical safety risk.

Victims of domestic violence depend on online pseudonymity as a survival mechanism. Their support networks, their access to legal advice and specialist services: all of it exists under a layer of separation between their real identity and their online presence, and mandatory identity verification collapses that separation. A verification database linking a real identity to a platform account is a resource. Whether it gets breached, subpoenaed, sold, or accessed by people who should not have it, an abuser with that data, through any route, has a tool for finding someone who has spent considerable effort not being found.

People at elevated risk of doxxing face the same problem: journalists, activists, trans individuals, and anyone who has previously been the target of a coordinated harassment campaign. The separation between real identity and online presence is not paranoia. It is a rational response to a documented threat. The law removes it as a side effect of a policy that does not mention these people once.

The framing of this legislation has been designed to make coherent opposition almost impossible.

Anyone who raises data security concerns is implicitly questioning whether children should be protected online. Anyone who points out the scope is wider than advertised is accused of obfuscating a simple child safety measure. The political angle is deliberate: manufacture a situation in which the only publicly acceptable position is compliance, and then legislate for whatever you wanted in the first place.

Privacy-preserving alternatives exist. Cryptographic verification capable of returning a yes/no age confirmation without creating a linkable identity record has been deployed at national scale elsewhere. It costs more and requires the government to own the issue rather than outsourcing it to an industry with a financial interest in collecting data, so it has not been seriously pursued.

What has been built instead is a compulsory surveillance architecture, held by private companies, with no meaningful security floor. It covers a scope of internet activity that has never been honestly communicated to the public. It operates under legal uncertainty that will not resolve until the prosecutions begin.

This is not speculation about what surveillance does to behaviour. Research published in the Berkeley Technology Law Journal found that searches on sensitive topics dropped by nearly 30% after the Snowden revelations simply made people aware that government monitoring was possible. People did not need to be watched. They needed to believe they might be. Mandatory identity verification, linked to platform access, creates exactly that condition permanently, and by law.

The UK government just made it illegal to protect your own privacy online. They called it keeping children safe.

Share