[Age Verification] UK Online Safety Law is being toyed with in various ways: Bypassing it with VPNs and bypassing biometric authentication with Death Stranding

What is the UK Online Safety Act?

The UK Online Safety Act was officially enacted into law on 2023-10-26, receiving Royal Assent, and will come into full effect on 2025-3-17 (the actual implementation date will be determined by each article). It requires online service providers to assess and manage the risks of illegal or child-harming content.The UK communications regulator, Ofcom, has begun enforcement. The law applies to a wide range of businesses, both large and small, including social networking sites and search services, and Ofcom regulates them and imposes penalties for violations. While placing particular emphasis on protecting children and strengthening age verification, issues of freedom of expression and the burden on small businesses have also been raised.

Some of these additional provisions came into effect on 7-25-XNUMX, including some core provisions such as mandatory age verification.

The "Certain Core Provisions" that came into effect on 7-25-XNUMX refer to additional obligations and regulations regarding the protection of minors. The main points are as follows:

• Platform operators are now required to protect users under the age of 18 from illegal or harmful content..
• New crimes include the sharing of AI-generated "deep fake pornography" and "cyberflashing".
• Age verification mandates have been strengthened, requiring platforms to implement sophisticated age verification methods to prevent minors from accessing adult content..
• Companies are now required to take an approach that protects the rights and safety of minors from the design stage, such as making minors' accounts and personal information private by default, adding features to prevent cyberbullying and inappropriate contact, implementing safety measures for AI chatbots, and eliminating addictive design elements..

This regulation requires platforms to gradually strengthen their systems and operations to "protect minors from harmful or illegal content." However, there are some exceptions and exemptions for smaller businesses. Table 1 summarizes these.

Case	Not subject to OSA regulations (special exception)	Supplemental
For internal business purposes (intranet, etc.)	○	Users are in a "closed" environment, such as within a company
Limited functionality (review and comment sections only)	○	Posting and rating only, no other interactive features
Public/public service, small blogs, volunteer work	○	In the case of exclusion by secondary legislation or operation
News Publishers and Broadcasters	○	Explicit exclusions under the media clause
Small but high-risk harmful content sites	×	Government and Ofcom judgement on a case-by-case basis

Ofcom-permitted methods of age verification

As of July 2025, Ofcom allows the following "robust and highly effective" age verification methods:.

1. Age estimation by facial recognition (AI estimates age from selfies)
2. Photo ID verification (upload and verify images of official documents such as driver's licenses and passports)
3. Digital ID service (using information already registered in digital ID wallets such as Yoti)
4. Open banking authentication for bank accounts (providing age information via the bank's secure login system)
5. Mobile line contract information (verify age using phone number and carrier contract information)
6. Verify your credit card information (you must be 18 years of age or older to use this card)
7. Analysis of usage history linked to email accounts (utilizing age-based usage history of specific services)

Ofcom does not generally allow "self-declaration (checkbox only)" or methods that do not provide sufficient identity verification (such as simply entering a date of birth).In addition, since each method has different privacy protection and information leakage risks, businesses are required to select a technology based on a risk assessment.

Although there is a wide range of possibilities, various loopholes have already begun to be used since the law came into effect on 7-25-XNUMX.

Loophole 1: VPN

Just as when a similar law was enacted in France, VPN registrations skyrocketed, apparently increasing by 1400% within minutes of the law's enactment (compared to 1000% in France).

Just a few minutes after the Online Safety Act went into effect last night, Proton VPN signups originating in the UK surged by more than 1,400%.

Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content. pic.twitter.com/W9R5FQBWKa

— Proton VPN (@ProtonVPN) July 25, 2025

Ofcom prohibits platforms and website operators from publishing content that "promotes, advertises or encourages the use of VPNs" by minors to circumvent age verification procedures required by the Online Safety Act, but it is unable to ban VPNs themselves, so it appears that it is forcing them to take a difficult approach.

Loophole 2: Flaws in age estimation using facial images

As mentioned above, Ofcom also approves AI facial age estimation. The specific mechanism is as follows:

1. Face detection and feature extraction
   • The system first automatically detects human faces from the camera or images.
   • Identifies facial features such as the eyes, nose, mouth, and contours, and extracts patterns characteristic of age, such as facial expressions, wrinkles, skin texture, and contour changes..
2. AI-based age estimation
   • Machine learning models (mainly deep learning, CNN, etc.) are pre-trained with millions to tens of millions of face images + real age data..
   • The feature values of the input face image are compared with the vast number of face patterns that the trained model has seen in the past, and statistically calculates, "What is the average age of people with similar feature patterns to this face?".
   • In many cases, age is not estimated as an absolute value but as a range of "○ years old to ○ years old", and the facial image itself is immediately deleted at the exit, ensuring privacy..
3. Processing flow (example)
   1. Upload face image/Get video from camera
   2. Face detection → feature point extraction → input to age estimation model
   3. Outputs the closest age group and average estimated age
   4. Return the result and delete the image

The advantages include the following:

• No personal information required, privacy-focused
  • Since age can be temporarily estimated using only a "face image" without having to enter name, date of birth, ID number, etc., the risk of information leaks is significantly reduced..
• Highly accurate and fast judgment
  • AI estimation is often more accurate than human visual inspection or staff judgment, and is less prone to misidentification or subjective bias..
  • It only takes a few seconds for the result to be determined, and it can be used instantly at large-scale services, unmanned registers, and automatic ticket vending machines.
• Inclusiveness (easy for everyone to use)
  • It can be used by people who do not have physical ID such as a passport or driver's license. It is a system that is friendly to young people and the elderly, who are increasingly required to verify their age..
• Anti-spoofing measures and safety
  • Liveness checks (identity verification using real photos, not still images) address the risk of "impersonation" using photos and videos..
• Improved business efficiency and trouble prevention
  • It does not rely on the judgment of store staff, and greatly improves work efficiency with accuracy and speed. It also reduces ID forgery and other troubles (disputes with customers)..
• Resistance to certificate lending attacks
  • It will be more difficult to pass age verification by borrowing an older person's certificate.

In ISO/IEC 27566-1 Age assurance systems Part 1: Framework, this corresponds to the part called Age Estimation.

It is being increasingly used in online services such as Discord, Reddit, BlueSky, and Xbox, as well as in self-checkouts at UK retail stores and restaurant chains, but some implementations have been breached without presentation attack resistance, creating a buzz. Specifically, it has been reported that Discord can be breached using the photo mode in the action game "Death Stranding" (Desuto), released by Sony Interactive Entertainment.¹.

Death Stranding's photo mode is a multifunctional system that allows players to take in-game photos of landscapes and characters. Activated by pressing the left side of the touchpad, it allows players to pause the game and freely change the camera position and angle, fine-tune various settings, and fine-tune the pose, expression, and gaze of the subject, Sam (the protagonist). Using this feature, players appear to have bypassed Discord's age estimation by following commands such as "look right." It appears that the system either failed to meet the requirements of ISO/IEC 30107 Biometric presentation attack detection or ISO/IEC 19989 Criteria and methodology for security evaluation of biometric systems, or that there were gaps in these standards. Future developments will be closely monitored.

1. Satomi. August 2025, 08. Security hole exploited by taking a selfie from a game screen to authenticate age on 03+ sites. Gizmode. https://www.gizmodo.jp/2025/08/k-id.html (Obtained on 2025-08-06)