Ethical hackers have demonstrated to Sky News how the UK’s new age verification systems for pornographic websites can be circumvented “in a matter of seconds” using widely available technology, just hours after toughened rules came into force.
Cybersecurity experts Chris Kubecka and Paula Popovici quickly accessed numerous adult content sites without verifying their ages on Friday, the same day Ofcom’s “highly effective age verification” requirements became mandatory.
The demonstrations, using standard software and simple techniques, have raised immediate questions about the effectiveness of measures designed to protect under-18s from accessing explicit content online.
Simple Tricks Defeat “Robust” Systems
Ms Kubecka, an internationally renowned cybersecurity specialist who helped recover Saudi Aramco’s systems after devastating cyberattacks, said the ease of bypassing the systems showed they would not be effective at stopping minors.
The systems are fundamentally flawed,” the ethical hacker told Sky News after demonstrating various bypass methods using commonly available tools.
The new regulations, enforced from 25 July, require adult websites to implement age checks that could include AI facial recognition, bank or ID verification, or technical solutions using browser cookies.
Ofcom’s chief executive Dame Melanie Dawes had declared that Friday marked the day when preventing children from viewing pornographic and harmful material would “start to change.”
VPNs Emerge as Primary Workaround
The most straightforward method to circumvent age verification involves using Virtual Private Networks (VPNs), which mask users’ IP addresses and make it appear they are accessing sites from countries without such restrictions.
Google Trends data shows searches for “VPN” have skyrocketed in the UK since the requirements took effect, with many users discovering they can bypass checks by simply changing their virtual location.
“It’s a non-issue for anyone with the most minimal of computing knowledge,” one Reddit user commented. “Ironically the most computer-literate in our country, the younger ones, will know exactly what to do.”
VPN services, which are entirely legal in the UK and commonly used for security and privacy purposes, effectively render the age verification requirements optional for tech-savvy users.
Ofcom Acknowledges Limitations
The regulator has admitted it cannot prevent individuals from using VPNs to bypass age checks, though it has made it illegal for platforms to encourage or promote their use for this purpose.
Oliver Griffiths, Ofcom’s group director for online safety, defended the measures despite acknowledging the loopholes: “Our research shows that these are not people that are out to find porn – it’s being served up to them in their feeds.
He emphasised that parental awareness of VPN usage and conversations about online safety remained “a really important part of the solution.”
The BBC reported that Ofcom warned parents that children using VPNs to bypass checks “would not be able to benefit from the protections of the Online Safety Act.
Privacy and Security Concerns Mount
Privacy advocates have raised alarm about the potential risks of the new verification systems, which require users to submit sensitive personal data including government IDs, credit card details, or biometric information.
Jim Baker of the Open Rights Group warned: “This could take the form of more scam porn sites that will trick users into handing over personal data to ‘verify their age’.”
The concerns appear justified, with a July 2024 data breach at ID verification service AU10TIX exposing sensitive information of millions of users from platforms including TikTok, Uber, and X (formerly Twitter).
Big Brother Watch director Silkie Carlo cautioned against “dangerously intrusive methods like biometric face scans and even ID cards and passports for internet access,” warning of potential security breaches and privacy intrusions.
Alternative Bypass Methods Proliferate
Beyond VPNs, hackers have identified multiple workarounds including the Tor Browser, which encrypts traffic through multiple servers to hide users’ locations, and various proxy services.
Some users have discovered that simply requesting desktop versions of mobile sites or using certain browser extensions can circumvent age gates on various platforms.
The ease of these bypasses has led to criticism that the £18 million fines threatened for non-compliant platforms may be enforcing a system that penalises legitimate adult users whilst failing to protect determined minors.
Industry Response and Platform Compliance
Major platforms have implemented varying approaches to compliance. Reddit uses Persona for NSFW content verification, whilst SpankBang employs the Yoti app. Others utilise services including 1account, VerifyMyAge, and AgeChecked.
However, Aylo, parent company of Pornhub, has criticised the approach as “ineffective, haphazard and dangerous,” citing an 80% traffic drop in Louisiana after similar measures were introduced.
“These people did not stop looking for porn, they just migrated to darker corners of the internet that don’t ask users to verify age,” the company warned.
Some smaller platforms, lacking resources to implement compliant systems, have chosen to block UK users entirely or shut down operations.
Public Backlash Grows
A petition to “Repeal the Online Safety Act” has already garnered over 77,000 signatures, with critics arguing the law creates more problems than it solves.
One petition signatory wrote: “The only people this will actually affect is the 50+ year olds. Young people will find ways around this in seconds.”
Technology Secretary Peter Kyle defended the changes, urging the public to “judge us by the impact we secure” and promising children would experience “a different internet” moving forward.
However, the immediate demonstration by ethical hackers of how easily the systems can be defeated suggests that impact may fall far short of intentions.
Expert Warnings About Unintended Consequences
Cybersecurity professionals warn that pushing users towards VPNs and alternative access methods could expose them to greater risks than the systems aim to prevent.
“When you force people underground, you lose all ability to protect them,” one security researcher noted. “Legitimate sites with proper safeguards become inaccessible, whilst unregulated alternatives proliferate.”
The demonstrations by Kubecka and Popovici highlight a fundamental challenge in digital age verification: balancing child protection with adult privacy rights whilst acknowledging the technical realities of the modern internet.
Their findings suggest that despite the government’s intentions and Ofcom’s enforcement powers, determined users of any age will continue to find ways around restrictions designed for a pre-VPN era.
Follow for more updates on Britannia Daily
Image Credit:
Anonymous Hacker – Image by Anonymous, licensed under CC BY-SA 4.0, via Wikimedia Commons.
