Decentralising verification

Management

Alex Laurie at Ping Identity explores Virtual Private Networks, verification and building trust in digital systems

The rollout of age verification rules for adult sites under the Online Safety Act has been far from plain sailing. Since the regulations took effect, downloads of Virtual Private Networks (VPNs) have surged. While VPNs are commonly used for privacy purposes or accessing content abroad by creating a secure, encrypted "tunnel" for internet traffic, they have quickly become the go-to means for users bypassing age-gated websites to access explicit content.

Media companies that host adult material are ramping up efforts to block VPN use. However, while these technical countermeasures may be effective, they fail to address the underlying issue: the public’s fundamental lack of trust in how personal data is handled online. Despite the good intentions to protect children from inappropriate content, the requirement to provide personally identifiable information to access adult sites has understandably made people deeply uncomfortable and driven them towards privacy tools.

To truly build trust, verification must be entirely rethought. Decentralised identity systems offer a path forward, allowing users to verify their age without exposing any other personal data. Until such robust privacy-first options become the industry norm, people will continue to find ways to circumvent the system.

The British trust debate

Public hesitancy towards age verification stems primarily from deep-seated privacy concerns. According to our new Consumer Survey, this is not isolated to adult sites; social media platforms and online banking already rank among the least trusted online services in the UK. This widespread distrust directly impacts age verification, where people are unwilling to share personal information just to access certain sites or services.

The fear of data exposure - and the association with adult content sites - is a key motivator behind the surge in VPN use. As data breaches of media companies grow in both frequency and scale, public anxieties around the safety of information shared online have only heightened. The issue has therefore become more psychological than technological. In reality, the same verification systems are already used across different types of age-restricted services.These systems rely on trusted third-party verifiers to manage the checks, ensuring that the websites themselves never access the underlying personal data.

A key distinction lies in how data is handled. Media companies often lack strict security controls around Personally Identifiable Information (PII) and are largely driven by business models that collect and monetise user data to sell targeted ads. By contrast, credible third-party verifiers are subject to rigorous regulatory requirements and are built on robust security frameworks. Their safeguards include data encryption, enhanced fraud detection, and 24/7 monitoring specifically to protect sensitive data from unauthorised access.

Greater transparency around how data is handled, and the safeguards in place, is essential to educate and reassure users. Strong protections are already in place, ranging from regulatory standards like the GDPR to robust cyber-security frameworks. However, to build confidence in age verification systems, platforms and the UK government must clearly explain who manages the data, how it is stored, and what legal consequences companies face if it is exposed. While robust security is vital, visible trust-building measures, such as public reporting and accountability, are equally important to ensuring users feel confident in using age verification systems as intended.

Eliminating the shortcuts

The immediate hurdle facing the Online Safety Act is the widespread use of VPNs to bypass age verification requirements. For media companies, aggressively blocking these workarounds is critical to protecting their assets, safeguarding their reputation, and reducing the likelihood of legal repercussions. Some platforms are adopting technical tools like deep packet inspection (DPI), which examines the content of data packets as they travel across a network, and blacklisting known Internet Protocol (IP) addresses of VPNs. However, enforcement remains inconsistent, and many sites are simply not doing enough.

With the UK government showing no immediate plans to ban VPN use outright, an industry-wide effort must be made to close the loopholes ultimately endangering children online. By implementing more robust technology and effectively blocking repeat offenders, adult content providers can encourage the use of official age verification systems. While a full ban seems unlikely, a greater attempt from the government - perhaps through Ofcom - is needed to standardise VPN prevention practices. This could involve introducing minimum technical standards for sites to adhere to, which would in turn encourage the adoption of stronger privacy-first age verification technology. Until these actions are taken, the new rules intended to protect children will continue to be undermined and rendered ineffective.

A decentralised approach to verification

To build lasting trust in age verification systems, companies must move beyond conventional models and adopt decentralised identity solutions. While current verification methods technically work, they create unnecessary friction for users and raise significant concerns about the volume of personal data required. Without a shift towards user-centric control of data, many people will continue to bypass safeguards through VPNs and other alternative workarounds.

Decentralised identity systems give individuals control over their personal data while still enabling governments and organisations to securely issue and verify digital credentials. This approach enhances privacy, reduces the risk of identity theft, and streamlines verification processes for both individuals and businesses.

At the heart of this system are verifiable digital credentials, securely stored in personal digital wallets. These credentials consist of only the relevant attributes – such as proof of age – without exposing full identity documents or unrelated personal details. This allows media platforms to confirm eligibility instantly without ever accessing sensitive data.

This approach directly alleviates many of the concerns driving VPN use. Because data is not repeatedly shared or stored, the risk of identity theft is reduced, attack surfaces are minimised, and credentials are cryptographically secured to guarantee authenticity. From a user experience perspective, it enables companies to provide frictionless logins while individuals gain greater control over their digital identities, giving them the privacy they demand.

Laying the foundations for a safer internet

The Online Safety Act’s age verification requirements have exposed a fundamental mistrust in how personal data is handled online. Consequently, VPN use and inconsistent enforcement of current safeguards are actively undermining the system and leaving children vulnerable to harmful content.

Decentralised identity offers a critical path forward. By combining robust protection for children with enhanced transparency and user control over data, it strikes the necessary balance between safety and privacy. Crucially, the success of this approach hinges on immediate collaboration between all stakeholders, the adoption of common technical standards, and comprehensive public education.

Alex Laurie is SVP at Ping Identity

Main image courtesy of iStockPhoto.com and CHOLTICHA KRANJUMNONG