Ofcom Monitoring UK VPN Use Due to Circumvention of Online Safety Act
The UK telecoms and internet content regulator, Ofcom, has revealed they’re using an unidentified third-party monitoring tool – seemingly with AI capabilities – to track the public’s use of Virtual Private Network (VPN) tools as part of Government concerns that they’re being used to circumvent internet censorship measures under the Online Safety Act (OSA).
In case anybody has forgotten. VPN usage recently jumped after Ofcom began enforcing Age Verification measures across the internet as part of the OSA, which was sold to the public by the government as being intended to restrict access to porn.
However, the measures also ended up going much further and resulted in a heap of regular online services all suddenly wanting to scan your face and collect credit card details (among other methods) – often via unfamiliar third parties – before allowing access (e.g. messaging services, social media, online games, music streaming, TikTok etc.).
Advertisement
The change, which has been seen by some as indicative of the UK’s slow slide towards digital authoritarianism, occurred at a time when most of us have long been conditioned to share as little personal and financial data as possible with online platforms (especially social networks, where real names aren’t always used) – due partly to the all-too-common risk of data breaches.
Suffice to say, many adults did NOT want to have to share personal or financial details with unknown third-parties just to be able to chat with family members/business contacts or listen to the latest music, among other things. But the government’s sledgehammer approach leaves few alternatives, potentially fuelling the risk from cybercrime and making it harder for people to control who has access to their data.
One recent data breach, which was linked to online voice provider Discord helps to underline these points (here). The breach exposed government ID photos of approximately 70,000 users after hackers compromised a third-party company contracted for age verification.
VPN Use Spikes
In response, many people have been flocking to adopt VPN services in order to avoid age verification (e.g. using them to change the geographic location of their active IP address and mask the real connection). The UK government promptly responded to this by warning that online platforms which “deliberately target UK children and promote [Virtual Private Network] use” could now “face enforcement action, including significant financial penalties“.
Advertisement
Several government MPs have even called for the nuclear option of banning VPNs to stop circumvention of the rules (here), although officially the government says there are “no current plans to ban the use of VPNs“. But the option is still said to remain on the table, and we all know that plans can change, often suddenly (“no plans” is the most abused / changeable term in the PR arsenal).
What’s Ofcom Doing?
Some recent probing by TechRadar has now revealed that Ofcom are using an unidentified and seemingly AI powered (inferred from language in the comment below) third-party tool to track the public’s use of VPNs.
On the one hand, it’s not surprising that the regulator would be looking at VPN usage, given their role. But what is concerning is the lack of transparency involved in their approach and Ofcom’s seeming refusal to identify who they’re working with (i.e. people may wish to know if this is a company with a track record of protecting people’s privacy, or more associated with the use of invasive surveillance techniques).
As the website says, the fact that a regulator is using tools (and thus presumably spending money and resources) to specifically track the public’s use of software designed to enhance digital privacy is a concern that risks undermining their very purpose as a privacy tool.
Advertisement
A spokesperson for Ofcom said:
“We use a leading third-party provider, which is widely used in the industry, to gather information on VPN usage. The provider combines multiple data sources to train its models and generate usage estimates. The data we access and use in our analyses is fully aggregated at the app level, and no personally identifiable or user-level information is ever included.”
The regulator’s CEO, Dame Melanie Dawes, last month revealed (Open Letter to the Government) that, “following the 25th July deadline we saw a spike in their use – with UK daily active users of VPN apps temporarily doubling to around 1.5 million. However, usage has since plateaued, and has now fallen back to around 1 million by the end of September“.
However, as above, there remains a lack of transparency over how the regulator came up with this number. Ofcom previously said that the key question they will be monitoring (though they admit “it is hard to measure“) is whether VPN use is rising among children.
Data from Internet Matters, collected before July, suggests that around one in ten under-18s used VPNs, with use skewing towards older teenagers. No surprise there – this is the group likely to feel most aggrieved by the new approach, since there are few things more annoying than being 15-18 years old and yet treated like you’re 5.
At present both of the largest political parts remain fully supportive of the OSA and thus it’s difficult to imagine that the Government will roll back any of its measures (if anything, they seem to be extending it). Meanwhile, many online services will feel that the risk of being legally liable for not going far enough is something they cannot countenance and will thus continue to adopt such strict measures.
Please note that we won’t be able to approve any comments on this news article if they promote VPN services, for hopefully obvious reasons.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« VodafoneThree Tops 1.7 Million UK Broadband Users as Mobile Rises to 28.82m
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
I guess this is all from tracking cookies and third-party analytics which are embedded into most websites. It’s good internet hygiene to block these especially if you are visiting less reputable parts of the internet.
I don’t think the government would go so far as to ban VPNs but they may require them to be age gated. However, they need to be prepared for what follows. They may note that even regimes as extreme as China and Russia are not able to effectively block access.
I really hope ultimately the government will realise the proper way to handle this is by making it easy for parents to control what access their children have. All the tools already exist to do this effectively but perhaps the government can force device manufacturers to make it easier.
You really trust the government that much? This country is becoming like China, the only difference at the moment is we have a choice voting someone in, sadly they are no difference in any of them.
This country has already become a police and nanny state. I would not put anything past our government, no matter what side they bat for.
I use a VPN for when I am using Wi-Fi out of my house, I also use it at home as well. Ban VPN and people will still use it, or use the Tor browser.
No I don’t trust them at all. But I mainly put it down to incompetence rather than malevolence. They have listened far too much to lobbyists who have laudable aims but do not understand the wider implications or don’t care about them. You can read any article on the BBC about OSA and you will find barely a mention of the security and privacy implications of the act – they just wheel out quotes from the NSPCC and/or victims groups saying how it doesn’t go far enough – unbelievable. It goes to show the extreme institutional groupthink that’s going on here. However, there is hope because there is a rising number of people opposed to these government intrusions (3 million signatures against digital ID, 500K against OSA). This will rise as the implications are felt by more people and will become electorally significant. That’s why I hope the government will eventually about turn and solve the problem in the right way.
Over the last year, the UK has arrested 4x more people for online posts than China. China’s population is much much greater. And people still naively think China is the extreme country
Try going to TST in Hong Kong, then compare with Whitechapel in Tower Hamlets and figure out the extreme
@John Don’t believe everything you read on the internet. You think regimes like China or Russia publish remotely accurate arrest numbers? We would not even be allowed to have this discussion in either of those countries. The UK has a lot of problems in this area but let’s keep things real.
Not trusting the government is wise. Blindly believing nonsense like “the UK arrests 4x more people for online comments than China” is not.
It’s a shame you choose not to apply to the same level of scrutiny towards things that agree with your preconceptions as you do towards things you don’t like.
There are two different Johns in this thread. Note the casing of the J. I’ll stick some extra letters on mine from now on to avoid further confusion.
Not only 4x, China is reported to have arrested 1500 people, Germany 3500 and the UK 13000!!! This is not a leaderboard that the UK should be topping and it is completely indefensible
And why is it hard to believe? In China the line is very clear: do not criticize the party. So people use roundabout ways. In the UK people get arrested for simply stating true facts on things the gov wants to hide like Wayne Rourke who spent 2 years in jail and still has a gag order imposed
In China they do not let out violent offenders “by mistake” to oppress the population, in the UK the number is over 80 this year alone
To be clear China is an oppressive authoritarian regime with digital id who bans people from buying groceries for non crimes…. But wait the UK is also copying digital ID!!
Will OFCOM mandate that VPN providers, build in a backdoor, slowly ever so slowly the web is being controlled and I fear that it will become irrelevant.
Yup, pathetic isn’t it, rather than doing this they should be educating kids more of the dangers that are out there, any kid with half an IQ can bypass what they’ve already done, all it’s doing is annoying the average person, and companies will rather stop servicing country’s than be bullied to do as they say, look at imgur, I’ve used it for years for all my image hosting, useless to me now, tons of websites with now no images being displayed and endless amounts of tutorials with no pictures in them, started a new game recently and wanted to check up on some guides, and all the images were all hosted on imgur >.<
There should be an option on your broadband accounts to disable all blocks like most do with 18+ rated content, once allowed, you become responsible for what your kids get up to.
@Martyn – broadband accounts are pretty irrelevant now, when the majority of kids 10+ already have their own phones (and in truth, a lot of secondary kids do need them for comms and safety when travelling to school, even if not while there). Of course it’s down to parenting, but controlling phones with 5G data is much harder than controlling home Wi-Fi devices all sitting on a router that you manage!
Just waiting to see what happens when the OSA gets tested by US websites in the American courts. 1 site is already suing Ofcom & if it goes their way it could turn into an avalanche of litigation.
I don’t think much will happen because 4chan is a very niche website that most people who even know it exists actively dislike. The US Court will say “Ofcom have no jurisidction here” and Ofcom will order UK ISPs to block it and nobody will care. More interesting will be when Ofcom start picking on bigger targets like Wikipedia who have said they will not bring in age checks under any circumstances. It’s astonishing that it’s a real possibility Wikipedia will be censored in the UK, although you would hope the government will step in before it gets to that.
I must admit I had never heard of 4chan before and couldn’t remember the name of it today either. But cases like these lay down a path for others to follow & if the UK government start to block US websites outright then that is quite likely to lead to retalatory action by the Trump administration.
What are the UK equivalent(s) of 4Chan that you think the US might block?
@Ben I don’t think Trump has shown he is one for a proportional response. Maybe he’ll block the BBC – he’s got a beef with them at the moment!
“beef” is cutting it short
The BBC manipulated footage of Donald Trump’s speech from him kindly saying:
“we will march Capitol Hill and cheer on Congress people and senators”
To leftist ragebait
“We will march on Capitol Hill and fight like hell!!!”
I hope the BBC gets sued into oblivion
Meh I’m no fan of the BBC and they should have made that cut more obvious, but please. Everybody knows it didn’t change the meaning of what Trump was getting at, just ask the rioters, they openly say that speech inspired them and then Trump pardoned them all on getting re-elected saying it was an injustice they were prosecuted! Says everything you need to know really. Anyway, it’s pretty clear that literally nothing can damage Trump’s reputation amongst his supporters and it already cannot be worse amongst everybody else.
What a deranged thing to say
It is already proven that the so called “rioters” were FBI agitators, to the point that the ones caught on the video doing the wildest things have completely escaped prosecution. Meanwhile the “qanon shaman” who got a police escorted walking tour of congress actually got arrested for many months until he got released because the video footage of him casually walking around being shown rooms from the police actually got released
And what would be these obvious reasons why you wouldn’t accept comments with VPN recommendations? Given that they are perfectly legal.
It’s in the article:
“The UK government promptly responded to this by warning that online platforms which “deliberately target UK children and promote [Virtual Private Network] use” could now “face enforcement action, including significant financial penalties“.”
I rather not take the liability risk.
Let’s just say that on the China forum, on Flyertalk, VPNs are rarely named in public. Especially if they are known to be effective.
Oh I do hope a Government minister gets caught with their pants down or seriously hacked! But then there would be a cover-up and Sir Humphrey will obfuscate the scandal of course.
They have brought about yet more unintended consequences by trying to control the uncontrollable.
It does not matter – Rachel Thieves has been caught not paying taxes on her rental property yet she will hike it up the wazoo for all of us
Denmark on Friday indicated it plans to ban access to social media by children. Progressives will inevitably try to introduce similar measures in the UK, with associated ID verification required for access more likely.
Then they get hacked and thousands of kids ID/photos get leaked, just like discord.
Regressives you mean. Progressives are for personal freedom, security and privacy. Nice attempt at a twist though. We all know which side wants this state control.
This is why we need some form of identification where it can be proved that the holder is over 18 yet it doesn’t contain any sensitive information itself. Perhaps single use / short term scratchcards which could be bought cheaply at an off-license and are subject to the same age controls as e.g. alcohol and tobacco.
@Anon:
It is progressives that back these bills – it was progressive groups that for instance, backed the restrictions on children’s access to mobile devices.
@Ben:
… any mechanism that I am aware of would have to apply to all users and thus would be deemed as another restriction on free speech.
Have you had your head in the clouds? Progressives haven’t been for those things for about the past 10 years. They constantly call for censorship and government control. Modern progressives are so regressive Mary Whitehouse would be proud of them. However, to your statement of which side wants this bill? Well, Labour wrote the bill, and both sides supported it, so it seems neither side are for freedom, security or privacy.
Sorry, the comment above was for Anon.
if we ban the use of said “VPN’s” then what about businesses then?
if I work from home and my F***iclie*t for example wont connect because it is banned, then thats a huge problem.
It’s not just that. If you are going to the office, I’m almost certain it will use some sort of VPN to connect to the head office/main data centre.
Banning VPNs would be effectively a ban of large international companies. They could, in theory, ban specific VPN apps, then the young will learn how to self-host a VPN, just like as they used to learn html to have a more flashy Myspace page.
Hopefully they wouldn’t be that stupid and would at the most only target those who sell themselves as a circumvention tool to kids, not saying I endorse the latter.
Even within the government I’d expect VPNs to be used.
Bearing in mind self hosting VPNs is also becoming more common, something I do myself to remotely access my home network and have an encrypted connection to my parents for off-site backups.
@htmm – it will almost 100%.
@tech3475- yes likely better to ban retail VPN providers (I*v***sh, N**d etc) because enterprise solutions are really geared as such which are often server/client whereby you host the server.
even hosting your own isn’t an issue to get to your own nas.
I can’t see this surviving being tested in court, Ofcom might want to believe the legislation says whatever they want, but it doesn’t.
Ofcom needs to be disbanded by the next government, not only it is a huge waste of taxpayer money and a huge infringement on human rights, it is also a huge burden on private companies that need to hire teams just to comply with ofcom.
Meanwhile the BBC just had one of their CEOs forced to resign for outrageously smearing an allied country and instead of ofcom condoning the behavior, they actually posted giving them a pat on the back. Absolutely disgraceful that a quango supposed to be an impartial regulator is picking sides
Totally agree with you and on top of that the way the changed the price increases system on broadband the older system was better yes it was vague but it was cheaper than now
Boomers in government, trying to legislate for technology they have no understanding of, hilarious. How are you going to van vpns (or DNS) that aren’t based in the UK ? Nadine Dorries and Boris Johnson came up with this nonsense.
Even China with their great firewall still has big gaps.
Ofcom is led by a Gen X CEO with only two or three directors being possible members of the “Boomers” generation.
” However, usage has since plateaued”… bs.
It’s possibly because many people will have signed up and tested their shiny new VPN account when the changes were first rolled out.
Afterwards usage will flatten as most won’t be connecting daily.
I found it hilarious that the government announced that the system was working, as porn sites were seeing 75% drop in UK-based visitors. What it suggests to me that only 25% have verified their ID.
In my opinion the way the online safety act should have been implemented is put pressure on Isp to ask you if there was someone under the age of 18 in your household and put dns filter on to block adult websites a simple yes no question to the person that pays the bills or implement a pin system like the way sky does it on their TV on top of that
sorry for any spelling mistakes I have dyslexia
issue is that as soon as you swap DNS to another one then it wont work.
then you go down the whole ‘you must use isp router’ which is a massive hinderance to some.
it still wont stop you altering DNS at the device level though in some cases.
It’s very hard to build a technical control for this sort of thing which cannot be bypassed by someone who is technically competent. The problem of children accessing inappropriate content needs to be solved with other, non-technical, controls.
I think of unintended consequences will apply here. If access to the larger websites that by and large do control their content is restricted, then its more likely that people will visit the many thousands of smaller websites and be exposed to much nastier stuff
There will always be a workaround I mean at the ISP level and a child would not be able to change the DNS only someone that is technically illiterate most people wouldn’t know how to change the DNS settings on router as most people use their ISP provided router and they could lock it so you can’t change the DNS settings on your ISP supplied router and they could implement DNS filtering through the ISP and could constantly be updated with list of websites to be blocked and could be shared between the ISPs they will always be issues anything else would be better than having to upload your government issued ID to every single website you visit to verify your age
It’s the parents that should start taking some responsibility here rather than expect the government to do everything. There are a number of child safe filters that can be installed onto device, for example Qustodio, Norton, Bark, Mobicip, Netnanny etc. Yep, there will always be ways that clever kids can get round these but it’s at least a start.
Reminds me of a friend who needed to update their younger child’s tablet to whitelist a new app, and the software on the tablet needed a pin code to do it, so my friend turns to his 11 year who also has the same blocking software, and asks him what the pin code was!
Parents need to take responsibility. Do parents leave the room and let their 4 year old use the kettle and cooker in the kitchen? No, they may supervise them to make some cakes as a learning exercise, but its not available to them until they are older.
Same should apply to anything connected to the Internet. If it is felt kids need a phone for when they are going to and from school for safety (a sad state of our country now that this is often necessary) then there are plenty of dumb phones available.
Children and their childhood would be much better enjoyed with no access to the Internet at all, its not making any children any happier or healthier.
Parents do have the responsibility in this area. The issue arises because there are factions that take the point of view that it is the government that should set the policy.
This will be more clear-cut in relation to sites hosting adult content, but these same groups have brought about legislation that now restricts access to mobile phones for teenagers. Further, it is the edge cases where such legislation might cross the boundaries between protection and freedom of speech/access to information that is of biggest concern.
Are we allowed to mention that a certain browser will achieve the same end?
Mark has asked us to not make a song and dance about this.
You know what’s even more annoying than being 15-18 and treated like a 5 year old?
Being in your 50s and treated like a frikking 5 year old.
I guess it’s reasonably easy to block free VPNs that don’t need a credit card to use.
you then have your age check…
I think part of the further push against VPNs is the advertisers. How can they target people in a specific region or demographic if said region is all pretending to be somewhere else?
I wouldn’t be surprised if that (money) is a big reason.
Does this not defeat the purpose of the National Cyber Security Centre’s advisory on the use of VPNs, particularly when connecting to public Wi-Fi?
https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/virtual-private-networks
Various police forces in the UK also recommend the use of a VPN when connecting to public Wi-Fi:
https://www.surrey.police.uk/SysSiteAssets/media/downloads/sussex/advice/operations-initiatives-and-watch-schemes/operation-signature/wi-fi-hotspots-how-to-surf-safely.pdf
https://www.psni.police.uk/safety-and-support/keeping-safe/advice-students
https://www.actionfraud.police.uk/cms/wp-content/uploads/2018/07/Public-Wi-Fi_Do-you-really-know_Infographic.pdf
https://x.com/PoliceScotland/status/1244534971391520768
I do not want Ofcom to stoop to the same level as Roskomnadzor in Russia. It is vital that Ofcom understands that VPNs are used by many people for a wide range of legitimate purposes, including by businesses, diplomats, and others.
In The last Year UK Government has arrested more people posting comments on Social media
than China and Russia and these are communist country’s and have No Freedom supposedly
We in UK now have NO Free speech and 2 Tier justice
I think it would be impossible to produce any reliable figures that would support such a claim.
I think what this boils down to is the politicans are not technical and have zero understanding of what the internet is or how it works. Case in point is Neil Parish MP browising for tractors and ending up on a porn site.
This Labour party is turning this country into a version of Nazi Germany
Banning this and that,next you’ll need a digital ID and prove your age just to breath. Keir, Hitler would be proud of you.
The new upcoming “road tax” will literally be a tax on leaving your front door unless you live in a city
People in this country need to stand up against communist levels of taxation
It’s scaremongering. If you think you are watched 24/7, you comply. If Ofcom find that 100% of internet users have VPN access, then what? Ban VPN’s? Make all VPN’s age consent based?
The whole scheme is nonsense.
Anytime a Government wants to control it rolls out children, terrorists or immigrants as an excuse. Lets go further with this speculation. So reasonable people drop from the internet and find an alternative means of communication, then what? Do the Government make internet consumption mandatory so they can monitor you and your digital ID?
Any Government failing in basic duty will look to crackdown instead of solving the problem.
God, I miss the days of 4 UK TV channels and no phones.
@ John Turner… sadly the gov aka regime has turned this country into that.