Age verification and device scanning: what the UK's new plans mean for your privacy

On 15 June 2026, Prime Minister Keir Starmer announced that children under 16 would be banned from accessing social media platforms in the UK—TikTok, Instagram, YouTube, Snapchat, Facebook, and X among them. Enforcement is due to begin in spring 2027, with regulations laid before Parliament before Christmas 2026. The powers stem from the Children's Wellbeing and Schools Act 2026.

Within 24 hours, a coalition of digital rights organisations—including the Open Rights Group, Big Brother Watch, Index on Censorship, NO2ID, and Defend Digital Me—had begun mobilising. Their campaign, 'Stop Killing the Internet', formally launched on 27 June 2026. A parliamentary petition opposing the ban has already exceeded 192,000 signatures, well past the 100,000 threshold required to trigger a parliamentary debate.

The concerns raised go considerably further than whether teenagers should be on Instagram. The central argument is that enforcing age restrictions at the scale the government envisions requires infrastructure that poses serious privacy risks to every user in the UK—not just children. Add to this a concurrent government deadline requiring Apple and Google to implement on-device scanning, and the picture becomes significantly more troubling.

What the under-16 ban actually requires

Banning under-16s from social media sounds straightforward enough as a policy objective. The implementation is where it gets complicated. For a platform to reliably exclude under-16s, it must be able to verify the age of everyone who attempts to sign up or log in. That means some form of age verification at scale—for platforms with tens of millions of UK users.

The methods most commonly discussed involve either government-issued identity documents, credit card checks, or third-party age verification services. Each of these creates a data trail linking a real person to their platform activity. Even where that data is not directly retained by the platform, it must pass through verification infrastructure that becomes a valuable—and vulnerable—target.

Ofcom, the body responsible for overseeing online safety regulation in the UK, has itself flagged outstanding privacy considerations with the proposals. That is a notable admission: the regulator tasked with making the system work has publicly acknowledged that the privacy questions have not been fully resolved.

Why the 'Stop Killing the Internet' campaign matters

The coalition behind the campaign represents a broad cross-section of civil liberties and digital rights advocacy. Their objection is not simply that age verification is inconvenient—it is that the architecture required to make it work at national scale is incompatible with meaningful online privacy.

Their arguments centre on several concrete concerns:

• Data aggregation risk. Age verification systems collect identity data. Whether held by the platform, a third-party verifier, or the state, that data can be breached, subpoenaed, or repurposed. A database linking real identities to social media accounts is precisely the kind of infrastructure that authoritarian governments—and sophisticated criminal actors—seek to exploit.
• Chilling effects on speech. When users know that their real identity is tied to their online activity, behaviour changes. People self-censor. Sources go quiet. Whistleblowers stay silent. Index on Censorship's involvement in the coalition reflects this concern directly.
• Scope creep. Infrastructure built to verify age does not stay limited to that function. Once a national age verification layer exists, the technical and political pressure to extend its use—to other content categories, other platforms, other purposes—is well-documented in the history of surveillance technology.
• Burden on legitimate users. Every adult in the UK would need to prove their age to access platforms they currently use freely. The friction this creates disproportionately affects people who lack standard identity documents—including some of the most vulnerable members of society.

The petition's rapid growth to over 192,000 signatures suggests the campaign has found a receptive audience well beyond the usual digital rights community.

On-device scanning: the concurrent threat

Running in parallel with the age verification debate is a separate but related development: a UK government deadline requiring Apple and Google to implement on-device scanning on their platforms.

On-device scanning—sometimes referred to in the context of client-side scanning—means that software on your phone analyses your messages, images, or files before they are encrypted and sent. The stated purpose is to detect illegal content, particularly child sexual abuse material. The privacy objection is fundamental: it breaks the security model of end-to-end encryption by creating a scanning layer on the device itself, before encryption applies.

Privacy experts and cryptographers have consistently argued that there is no technical way to implement client-side scanning that applies only to illegal content. The scanning mechanism, once built into a device, is available to anyone with sufficient leverage over the manufacturer—whether that is the UK government today, or a different government or attacker tomorrow. Apple itself previously paused a planned implementation of similar technology in 2021 following a significant backlash from the security and privacy research community.

The 'Stop Killing the Internet' campaign has explicitly linked the age verification push and the on-device scanning deadline as two faces of the same underlying problem: the construction of surveillance infrastructure under the banner of child protection that will, by its nature, apply to everyone.

The encryption question

Both issues touch on encryption—the technology that protects private communications, financial transactions, medical records, and journalistic sources. Age verification systems that rely on centralised identity databases weaken the pseudonymity that encryption-based privacy depends on. On-device scanning undermines end-to-end encryption directly.

It is worth being precise here: neither proposal technically breaks encryption in the narrow sense of attacking the mathematical algorithms. What they do is insert surveillance capability at the points where content exists in unencrypted form—at identity verification, and at the device before a message is sent. From a practical privacy standpoint, the effect is similar.

For anyone who relies on encrypted communications for sensitive reasons—journalists, lawyers, medical professionals, activists, domestic abuse survivors—these proposals are not abstract. They affect the real-world safety guarantees that encryption currently provides.

What this means for VPN users specifically

A VPN protects your internet traffic from being observed by your ISP or anyone monitoring your network connection. It does not, by itself, address the concerns raised by age verification or on-device scanning—and it is important to be clear about that distinction.

If a platform requires age verification before granting access, a VPN does not bypass that requirement. If scanning is implemented on your device, a VPN does not prevent the scan from occurring before data is sent. These are different layers of the privacy stack.

What a VPN does provide is meaningful protection at the network layer: your ISP cannot see which sites you visit, your DNS queries are not exposed, and your traffic is not trivially linkable to your IP address. In an environment where surveillance infrastructure is expanding, maintaining that layer of protection becomes more rather than less relevant. You can review what our no-logs policy covers if you want to understand what PremierVPN does and does not record about your activity.

If you are concerned about your exposure at the network level—particularly on public or shared connections—our IP leak test is a useful starting point for checking whether your current setup is actually protecting what you think it is.

What happens next

The government has committed to laying regulations before Parliament before Christmas 2026, with enforcement beginning in spring 2027. That is a compressed timeline for resolving the implementation questions that Ofcom itself has flagged as unresolved.

The parliamentary petition's crossing of 192,000 signatures means a debate in the House of Commons is now required. Whether that debate influences the final shape of the regulations remains to be seen, but it represents a formal mechanism for parliamentary scrutiny of the proposals.

The 'Stop Killing the Internet' coalition has indicated it intends to maintain public pressure throughout the legislative process. The involvement of organisations with established legal and lobbying expertise—including the Open Rights Group and Big Brother Watch—suggests this will not simply fade as a news story.

For the on-device scanning deadline, the position of Apple and Google will be critical. Both companies have previously resisted government pressure on encryption-adjacent issues, though both ultimately operate in markets subject to UK law.

The broader pattern

The UK is not acting in isolation. Age verification mandates, content scanning requirements, and pressure on encryption are active policy debates across the EU, Australia, Canada, and the United States. What the UK implements—and how the legal and technical challenges play out—will be watched closely by governments elsewhere.

That is part of why campaigns like 'Stop Killing the Internet' frame this as a global issue rather than a purely domestic one. Surveillance infrastructure, once built, tends to travel. Technical standards adopted under UK law influence platform behaviour worldwide. And the arguments being made in Westminster today are structurally identical to those being made in Canberra and Brussels.

If you want to understand more about the underlying privacy technologies at stake here—including how encryption protocols work and what a no-logs VPN actually protects—our introduction to VPNs and our comparison of VPNs, proxies, and Tor cover the technical foundations in plain terms.

The 'Stop Killing the Internet' campaign, the parliamentary petition, and Ofcom's own stated reservations all point to the same conclusion: these proposals are not ready, and the privacy costs have not been adequately weighed against the stated benefits. The next six months of parliamentary process will determine whether that changes before the regulations become law.