On 24 April 2025, the protection of children codes of practice were laid in Parliament and Ofcom published guidance on how providers should carry out risk assessments for assessing the risk of harm to children. Services likely to be accessed by children, had a 3 month deadline of 24 July 2025, to complete their children’s risk assessment.

The Road to Hell (Paved with Good Intentions)

Nobody's arguing against protecting children online. That's obviously a good thing. But this law is like using a chainsaw to perform surgery then wondering why you've demolished the entire hospital. The Act passed on 26 October 2023 and gives the relevant Secretary of State the power, subject to parliamentary approval, to designate and suppress or record a wide range of online content that is illegal or deemed harmful to children.

The problem? This 250+ page behemoth of legislation is so broad and vague that it's catching everything in its net – including stuff it was never meant to target.

Breaking Encryption: The "We Promise We Won't" Promise

Here's where it gets spicy. The OSB is a dangerous attempt to remake the internet. Instead of privacy, we will have age verification. Instead of security, we will have backdoors in end-to-end encryption.

The government keeps insisting they don't want to break encryption, but the law literally gives them the power to do exactly that. In September 2023, during the third reading in the Lords, Lord Parkinson presented a ministerial statement from the government stating that the controversial powers allowing Ofcom to break end-to-end encryption would not be used immediately. Nevertheless, the provisions pertaining to end-to-end encryption weakening were not removed from the act and Ofcom can at any time issue notices requiring the breaking of end-to-end encryption technology.

It's like giving someone the keys to your house and saying "but don't worry, I promise I won't use them."

The Encryption Nightmare

If you speak to anyone working in technology or cyber, we're pulling our hair out over this. Leading cybersecurity experts have made clear that even message scanning, mistakenly cited as safe and effective by its proponents, actually "creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic."

And here's the kicker – the UK government has admitted there isn't technology that allows companies to scan certain messages without breaking all encryption. So they've basically said "figure it out" to tech companies, as if wishing for unicorns will somehow make impossible technology materialize.

Wikipedia vs. The State

Remember Wikipedia? That handy site you definitely didn't use to write your university essays? Well, they're so fed up with this law that they're taking the UK government to court. Next week, on 22 and 23 July 2025, the High Court of Justice in London will hear the Wikimedia Foundation's legal challenge to the Categorisation Regulations of the United Kingdom (UK)'s Online Safety Act (OSA).

Why? Because the law could force Wikipedia to verify the identity of their volunteer editors – you know, those anonymous heroes who spend their free time making sure you know exactly when Napoleon was born. If enforced on Wikipedia, Category 1 demands would undermine the privacy and safety of Wikipedia's volunteer contributors, expose the encyclopedia to manipulation and vandalism, and divert essential resources from protecting people and improving Wikipedia.

Imagine if trolls could just post misinformation and then block volunteer editors from fixing it. That's basically what this law could enable.

The Global Ripple Effect

This isn't just a UK problem – it's become everyone's problem. The Online Safety Act became law in October 2023. It's now up to OFCOM, the UK regulator, to put it into practice, but the Online Safety Act is likely to have an extra-territorial effect, which leaves companies in the position where they have to choose between offering services in the UK, or providing end-to-end encryption.

So companies either have to weaken security for everyone globally, or just block UK users entirely. Some are already choosing the latter – This followed statements from several tech firms, including Signal, suggesting they would withdraw from the UK market rather than weaken their encryption.

The Age Verification Mess

In order to comply with the legislation, some websites and apps stated they would introduce age verification for users in response to a 25 July 2025 deadline set by Ofcom.

Quelle surprise, a quick look at Google Trends shows a completely unsurprising uptick in certain searches this week:

I've written at length about the potential pitfalls associated with VPN use (in particular "free" VPN's. This will undoubtedly result in a huge uptick in identity theft and cyber-crime in general and will do nothing to prevent a semi-determined user from accessing content.

This morning I've had age verification notifications from Discord, Reddit and Bluesky, all steering me to dump my driving licence, credit card data or other PII to non–domestic age verification platforms. My solution? Move to Brazil - although another, almost equally simple solution would be to deepfake someone else.

The kids that this law is supposed to protect are already finding inventive and entertaining methods of bypassing the controls turning the whole thing into performative nonsense with a side-order of risk.

It's somewhat timely that one site, Tea, that mishandled identity verification suffered a breach this week, serving of a reminder of the consequences of submitting private data to a third party website with no knowledge of what they're doing with it. The irony of this being a womens safety dating app will be no consolation to the victims of the breach.

This isn't the first time this type of thing has happened and it absolutely won't be the last. If you've not had the pleasure of listening to our good friends at Digital Interruption talk about this type of issue before, then you can catch up here.

Genuinely Hazardous and Illegal Content

It should come as no surprise that the sites serving genuinely harmful and illegal content couldn't care less about UK law. They'll hide their presence via Tor, host in countries with limited regulation and ensure they exist in gated communities. Criminals are going to commit crimes. And we're now actively pushing kids to the dark corners of the internet where those criminals reside.

Censorship Creep

While they dropped the most obviously problematic "legal but harmful" content provisions, the law still gives the government pretty sweeping powers over what can be said online. Under the cover of protecting children – a catchphrase repeated as the reason for the urgency of the legislation – the government has already conferred on itself future powers to access end-to-end encrypted messages (as soon as the technology becomes available), as well as powers to restrict what can and cannot be said on social media platforms.

It's giving very strong "trust us, we're the government" vibes, which historically speaking, hasn't always worked out so well.

The Technical Impossibility Problem

Here's the thing that's driving everyone absolutely bonkers: the government admitted the technology to securely scan encrypted messages for signs of child sexual abuse material (CSAM) without compromising users' privacy, doesn't exist - yet.

So they've passed a law requiring companies to do something that is literally impossible with current technology. It's like passing a law requiring cars to fly and then fining Toyota when they can't make it happen.

What's Next?

The implementation is rolling out in phases, and it's already causing chaos. The act is expected to be fully implemented in 2026, but companies are already scrambling to figure out how to comply with requirements that may be technically impossible.

We'd urge people to get in touch with their MP, sign a petition or support one of the lobby groups (such as the Open Rights Group) that are actively pushing the UK government to repeal this ill thought out legislation

The Bottom Line

Protecting children online is important. But this law has caught legitimate services in its dragnet, it's pushing tech companies away from the UK, it's threatening the privacy and security that actually keeps people safe online, and it's giving the government powers that would make an authoritarian regime jealous.

The road to digital hell is paved with good intentions, and the UK seems determined to be the first to arrive.