On July 25th 2025, the Online Safety Act’s children’s safety duties came into force, and the British internet changed overnight. Parliament had intended to shield children from pornography, self-harm forums and algorithmic bullying. Instead, it required every major platform likely to be accessed by under-18s to implement “highly effective” age verification for harmful content, on pain of fines up to 10% of global turnover. Ofcom, newly armed with the powers of a financial regulator, wasted no time. Within hours, Reddit demanded facial scans or government ID for NSFW sections — those areas of the site marked ‘not safe for work’, containing adult material such as pornography or graphic imagery — Spotify locked explicit lyrics and music videos behind biometric checks, and Pornhub gated all UK access with ID checks. Within days, thousands of Spotify users faced account deletion. Safety? No. A national firewall was born.

The first crack appeared at dawn. Proton VPN, a Swiss service long recommended by the National Cyber Security Centre for its no-logs policy, recorded a 1,400% surge in British sign-ups minutes after midnight on July 25th. Google searches for ‘VPN UK’ followed the same curve. Three weeks later, the Children’s Commissioner, Dame Rachel de Souza, was on BBC Newsnight declaring virtual private networks “an absolute loophole that needs closing“. Ofcom, reading the mood, issued guidance warning platforms that any encouragement of circumvention tools would be treated as a breach of duty. The message was clear, evasion was now a regulatory offence. The law that gated Pornhub just paved the way for your digital ID.

Yet the law’s architects had overlooked a simpler truth. Teenagers, long accustomed to borrowing their parents’ Netflix passwords, proved equally adept at borrowing their parents’ VPN subscriptions. Those without access turned to Tor and the dark-web mirrors of the very sites the Act sought to regulate began to swell. Cybersecurity firms recorded a doubling, and in some cases tripling, of British traffic to .onion addresses offering unfiltered versions of Reddit, Discord and adult platforms. Analyses from privacy advocates like the Open Rights Group, drawing on forensic data, indicate that these unregulated proxies hosted significantly more child-abuse, self-harm and extremist material than the gated sites they replaced — spaces with less moderation and greater risks of predators. Safety, it turned out, had merely been relocated to spaces where moderation was non-existent.

The second crack was more serious. On the very day the Act took effect, a little-known American app called Tea — marketed as a “whisper network” for women — suffered a catastrophic breach. An unsecured Firebase bucket spilled 72,000 images, including 13,000 government-issued identity documents and facial selfies, across 4chan. Three days later, a second Tea breach exposed 1.1 million private messages, including location data. Three months later, Discord followed. A third-party verification firm, contracted to handle British age appeals, lost control of 70,000 passports and driving licences. The Information Commissioner received breach reports and began assessments, but the damage was irreversible, leaked IDs quickly surfaced on dark web forums like BreachForums, ready for resale.

These were not random misfortunes. They were the direct consequence of a legislative mandate that required millions of Britons to upload sensitive documents to private companies with no statutory duty to delete them — a requirement triggered by the Online Safety Act’s age-verification rules. The Home Office’s own figures show that 43% of British businesses suffered a cyber incident in the past year: the Act had simply created a new category of high-value targets. Privacy campaigners warned of “honeypots”, and they were proved right with depressing speed. The breaches exposed not only personal data but the fragility of the entire verification ecosystem. The Tea app, designed to let women vent anonymously about dates, became a digital identity bazaar overnight. Discord, a platform where millions of British teenagers coordinate gaming sessions and schoolwork, suddenly carried the weight of passport-level exposure. The irony was stark, a law meant to protect the young had handed their most sensitive credentials to hackers on a silver platter.

The third and most consequential crack concerns the quiet fusion of the Online Safety Act with the Government’s digital identity programme. The Data (Use and Access) Act, passed in June 2025, elevated the Digital Identity and Attributes Trust Framework to statutory footing and established the Office for Digital Identities and Attributes. Yoti, the biometric firm most favoured by platforms racing to comply, reported a 25% increase in traffic and 6.5 million digital ID downloads in the UK shortly after the OSA’s rollout. Each verification, ostensibly ephemeral, feeds a reusable credential that can be linked to banking, travel and eventually employment. The Children’s Commissioner may rail against VPNs, but the deeper logic is inexorable: only a centralised, government-backed identity can close the loophole she deplores. The Act’s daily tally of five million age checks has become the proving ground for this infrastructure, turning what was sold as a narrow child-safety tool into the foundation of a broader surveillance apparatus.

Read More: They Said it Was to Protect Kids. Now Your Passport’s on the Dark Web – and Your NHS Record is Next