UK House of Lords Votes to Extend Age Verification to VPNs

The UK House of Lords has voted to extend "age assurance" requirements—effectively age verification mandates—to virtual private networks (VPNs) and a wide range of online platforms under the Children’s Wellbeing and Schools Bill. The decision deepens the reach of the already-controversial Online Safety Act, linking child safety goals to mechanisms that could have severe effects on private communication and digital autonomy.

What Was Actually Voted On

Two key amendments advanced during the Lords debate on January 21. Amendment 92 ("Action to Prohibit the Provision of VPN Services to Children in the United Kingdom") requires VPNs that are "offered or marketed to persons in the United Kingdom" or "provided to a significant number of persons" to implement age assurance for UK users. The measure passed by 207 Content votes to 159 Not Content votes.

Amendment 94a ("Action to Promote the Wellbeing of Children in Relation to Social Media") mandates that all regulated user-to-user services introduce age assurance systems to prevent under-16s from "becoming or being users." This proposal passed with 261 Content votes to 150 Not Content votes.

Both amendments will proceed to the Bill's next stage, the third reading in the House of Lords.

The Scope of Regulation

Under the existing Online Safety Act framework, "user-to-user services" include almost any online platform that enables individuals to post, share, or interact with content from others. This definition covers social networks, messaging apps, forums, and online gaming services. Only a few forms of communication, such as email, SMS, MMS, and one-to-one live voice calls, are explicitly excluded.

While political messaging around the vote often described the move as a "social media ban for under-16s," the actual scope is considerably wider. In effect, most interactive online platforms would now need to collect and verify age data from users, even where those services are not primarily aimed at children. This represents a major expansion of identity checks across digital infrastructure, once considered neutral or privacy-protective.

The VPN Contradiction

The inclusion of VPNs in Amendment 92 represents a particularly significant development. VPNs are services designed to conceal personal browsing data and protect against profiling by routing traffic through encrypted tunnels. They serve legitimate purposes including protecting privacy on public Wi-Fi, circumventing geographic restrictions for legitimate content access, and safeguarding sensitive communications.

Requiring VPN providers to implement age verification fundamentally contradicts their core purpose. These services, designed to protect user anonymity, would now face obligations to verify who their users are. This creates a practical and philosophical problem: how can a service simultaneously protect user privacy while collecting and verifying identifying information?

The amendment specifies that VPNs "offered or marketed to persons in the United Kingdom" or "provided to a significant number of persons" must implement age assurance. The phrasing leaves room for interpretation regarding what constitutes "a significant number" and how providers would determine if they fall under UK jurisdiction.

Rejected Amendments

Two other amendments, both more technologically intrusive, were discussed but rejected. Amendment 93, introduced by Lord Nash, would have compelled smartphone and tablet manufacturers, distributors, and importers to install "tamper-proof system software which is highly effective at preventing the recording, transmitting (by any means, including livestreaming) and viewing of CSAM using that device."

The only plausible way to enforce such a measure would be through constant, automated inspection of every photo, video, and stream on a device. This form of surveillance would have converted personal devices into continuous content monitors, raising severe privacy and accuracy concerns, including potential false positives. Lord Nash stated: "On Amendment 93, I have had a constructive discussion with Ministers on this issue and more discussions are in progress, so I will not push that to a vote today."

Amendment 108, proposed by Lord Storey, would have required user-to-user services "likely to be accessed by children" to set their own minimum age thresholds and use age assurance to enforce them. He argued that a single blanket ban under Amendment 94a was overly rigid. "Having different minimum ages for different platforms would be a better solution," he said, maintaining that his version would be more effective in practice.

Neither of these amendments passed, leaving Amendments 92 and 94a as the only ones to advance.

Technical Implementation Challenges

The practical implementation of age assurance systems presents significant technical challenges. Age verification typically falls into two categories: age estimation (using biometric or behavioral analysis) and age confirmation (requiring documentation like government ID or credit card verification).

For VPN services, which often operate with minimal user data collection by design, implementing any form of age verification would require fundamental architectural changes. Many VPN providers operate on a model where they don't collect personal information precisely to protect user privacy. Requiring them to collect and verify age data would force them to either:

1. Implement new identity verification systems, potentially requiring government ID or other documentation
2. Use biometric estimation methods, which raise their own privacy concerns
3. Refuse service to UK users entirely

For broader user-to-user services, the implementation would likely require integrating with third-party age verification services. These services have faced criticism for creating centralized databases of user identities, creating attractive targets for hackers and potentially enabling surveillance.

Legal and Practical Implications

The amendments represent a significant shift in how the UK approaches online regulation. Rather than focusing on content moderation or platform responsibility, these measures shift the burden to service providers to verify the age of all users.

This approach raises several concerns:

1. Privacy Impact: Collecting age verification data creates new privacy risks and potential for data breaches
2. Access Restrictions: Users who cannot or will not verify their age may be excluded from legitimate online services
3. Technical Feasibility: Many services, particularly decentralized or privacy-focused platforms, may lack the infrastructure to implement robust age verification
4. Jurisdictional Issues: Determining which services fall under UK jurisdiction becomes complex, especially for international providers

What Happens Next

The amendments now move to the third reading in the House of Lords. During this stage, further amendments could be proposed or existing ones modified. The bill will then proceed to the House of Commons for consideration, where it may face further debate and potential changes.

The discussion highlights a deepening push within UK legislation to merge digital identity checks with online participation. While described as safeguarding children, the changes embed a new layer of identity verification across tools once used for privacy, such as VPNs.

For now, the most invasive surveillance measure, client-side scanning, has been set aside. However, the fact that it was seriously considered indicates continuing interest in embedding scanning mechanisms directly into personal devices. Whether similar proposals reappear during the third reading remains to be seen.

The UK's approach contrasts with other jurisdictions. The European Union's Digital Services Act focuses more on platform transparency and content moderation systems rather than universal age verification. The United States has generally avoided federal age verification mandates, though some states have implemented their own requirements.

As these measures progress through Parliament, the technical and privacy communities will be watching closely to assess their practical impact on digital rights and online freedom in the UK.