The United Kingdom’s implementation of age assurance requirements for many online platforms has seen some users find ways to circumvent the technology, in a preview of what could occur when similar laws and age checks are rolled out in Australia this December.
The UK’s Online Safety Act, which took effect on Friday, 25 July, imposes a legal duty on online services to protect children from harmful content such as pornography, violence, terrorism, and self-harm — or face fines of up to $37 million (£18 million), or 10 per cent of qualifying worldwide revenue.
The new law also means platforms are required to update their algorithms to filter out content which is likely to be harmful to young people.
Ofcom, the UK’s communications regulator, has mandated that platforms perform “robust age checks”, which must be “highly effective” on sites with the most potentially harmful content.
This will typically involve age assurance in which a user shares details of a government-issued ID or a bank card, as well as sometimes a short video or selfie which is used to estimate the person’s age.
Getting around face scans with VPNs and video games
Some UK residents have turned to easily accessible tricks to circumvent age checks, with many doing so due to personal concerns over data collection.
Many appeared to be turning to Virtual Private Networks (or VPNs) which reroute internet traffic through servers in other countries, thereby tricking some platforms into believing a user is not located in the UK.
Mobile VPN apps have seen a spike in downloads, with such services listed as five of the 10 most popular apps on Apple’s UK App Store at the time of writing.
VPN apps have raced up the Apple App Store charts in the UK this week. Image: Apple
Other UK residents have used more creative ways to trick age assurance systems, including manipulating characters in video games so they appear to be a human reacting to a verification system’s requests.
Game developer Dany Sterkhov discovered the photo mode of popular video game Death Stranding could be used to trick face scanning tools by moving the face of the game’s main character, Sam Bridges.
Sterkhov said he did so to get through social platform Discord’s age estimation software, run by third-party company k-ID.
The technique has since been successfully used by others.
Tom Warren, a senior editor at The Verge who is based in the UK, said he tested the technique on both Discord and Reddit (which uses a tool called Persona), and was able to trick the systems “within seconds”, which he said felt "unbelievably easy".
However, the video game technique was not able to fool Yoti — a system being used by the likes of Instagram, Facebook, and Bluesky — according to Warren.
While thousands of websites have reportedly implemented age assurance measures for UK users, many which host adult content or independently host small communities have also allegedly geo-blocked their services in the UK to avoid the regulations and their associated costs.
An official petition to repeal the Online Safety Act has received more than 375,000 signatures at the time of writing, which means the UK parliament must consider it for a debate.
In response to the petition, the UK's Department for Science, Innovation, and Technology said on Monday that the government and Ofcom were “balancing the protection of users from online harm with the ability for low-risk services to operate effectively”.
“The government has no plans to repeal the Online Safety Act, and is working closely with Ofcom to implement the act as quickly and effectively as possible to enable UK users to benefit from its protections,” the department said.
Similar systems tested Down Under
Persona, k-ID, and Yoti’s technologies were among those tested in Australia’s recent trial of age assurance platforms, Information Age understands.
Preliminary findings from the trial, released in June, found that while some techniques among the dozens of tested technologies were “scarily accurate”, others experienced technical issues or kept too much user data.
The trial, which has yet to publicly share hard data about its testing results, found that while no single solution worked in all situations, there were no substantial technological limitations to implementing such technology in Australia.
Both Persona and Yoti submitted age verification technologies for the trial, which typically use government documents or ID; as well as age estimation technologies, which typically analyse a user’s facial or hand biometrics.
Yoti also offered age inference technology, which typically uses data about a person’s online activity or accounts to infer their age; while k-ID was tested as a parental consent and control provider.
The federal government is expected to use the trial’s findings to define the “reasonable steps” it will expect social media platforms to take to prevent under-16s from holding accounts from mid-December.
The technologies favoured by the government may also influence how search engine providers such as Google and Microsoft implement age checks for Australians searching the web in a logged-in state — which is also set to begin in December.
Research which heard “significant trust and security concerns” from Australian consumers about age assurance technologies was released by the federal government in June, around six months after it received the findings.
