Practical Privacy, Security, and Speech Guide
A field guide to modern privacy, security, and freedom of speech.

17.7 Practical responses to UK restrictions

A printed checklist and a pen
If you read one page in this chapter, read this one.

Principles first

This page gathers the practical steps scattered through the rest of the chapter into one place. Before the lists, three principles are worth stating, because they explain why the steps are what they are. First, comply with the law and minimise within it: nothing here is about evasion, but about handing over no more than the rules genuinely require. Second, the most private data is the data you never created — reducing what you disclose at the point of collection beats trying to protect it afterwards. Third, act now rather than later, because tools and choices that are freely available today may be more constrained tomorrow, and habits formed in calm are more reliable than ones improvised under pressure.

None of this requires becoming a security expert or living in fear. Most of it is a handful of sensible defaults set once and then largely forgotten. The aim is an ordinary life with a thinner data trail, not a fortress. Treat the lists below as a menu matched to your own threat model — the idea introduced in Chapter 1 — rather than a set of commands to follow wholesale.

A baseline for everyone

These steps are low-effort, lawful, and worth doing regardless of who you are. They are the equivalent of locking your front door: not because you expect a burglar tonight, but because it is cheap and sensible.

  • Use a reputable password manager and unique passwords for every account, so that one breach does not cascade. See 2.2.
  • Turn on multi-factor authentication, preferably with an app or hardware key rather than SMS, as in 2.3 and 2.4.
  • Make end-to-end encrypted messaging your default, not a special case, following 7.1.
  • Keep your devices encrypted at rest and your software updated, as in 3.2 and Chapter 4.
  • Keep your own encrypted backups under keys you control, rather than relying solely on a provider's cloud — particularly relevant given the encryption pressures in 17.5.
  • Practise basic compartmentalisation: separate email addresses and identities for separate parts of your life, as in Chapter 8.

Responding to age checks

Where an age check is legally required, comply, but reduce what you reveal. The detail is in 17.2; the short version:

  • Prefer age-estimation methods over full document upload where a service offers a choice, since estimation can reveal less than your name and document number.
  • Favour providers that clearly state they do not retain data and that have been independently assessed; be wary of vague policies.
  • Do not link age checks to your primary email or to accounts that already identify you.
  • Treat any biometric or document data as highly sensitive, and hand over only what the system genuinely requires.
  • Remember that a non-UK VPN location will cause many UK age gates not to appear at all, which is lawful for an adult — see below and 17.4.

Protecting your communications

Strong encryption remains lawful and available; use it well while you can, per 17.5 and Chapter 7.

  • Use end-to-end encrypted messengers that are encrypted by default and that have a record of resisting compromise.
  • Enable disappearing messages for routine conversations, so that a future demand or seizure finds less.
  • Keep sensitive backups (such as message history) encrypted locally rather than in an unencrypted cloud.
  • For email, which is rarely end-to-end encrypted, assume it is readable in transit and at rest, and keep genuinely private matters off it — see 7.2.
  • Maintain at least one way to reach the people who matter to you that does not depend on a single platform or account.

Handling digital identity

Digital identity is still being decided, so the posture is mostly about restraint and attention, per 17.3.

  • Where elements remain optional, decline to adopt them unless they genuinely serve you; do not opt in merely because it is offered.
  • Resist using one government or platform identity to log in everywhere, since every such use adds a link to your profile.
  • Keep physical documents and offline fallbacks where they still work, so you are not wholly dependent on one digital credential.
  • Where a credential becomes mandatory for a specific purpose, use it only for that purpose, and keep it compartmentalised from unrelated activity.
  • Be alert to scope creep: note when a credential introduced for one thing starts being demanded for another.

Network and location

These tools change who can see your traffic and where it appears to come from; understand their limits, per 5.2 and 17.4.

  • If you use a VPN, choose a reputable, audited, no-logs provider with a transparent owner; avoid free VPNs that monetise your data.
  • Consider establishing a paid subscription with a good provider now, while the market is open and unrestricted.
  • Use encrypted DNS so your internet provider cannot trivially log every site you look up.
  • For strong anonymity rather than mere location-shifting, understand the Tor network and its trade-offs, per Chapter 5 and 6.2.
  • Do not over-stack tools: match the tool to the actual goal, since unnecessary layers add friction and can make you more distinctive.

The civic dimension

Several measures in this chapter have been delayed, softened, or withdrawn because people noticed and objected. Individual technical steps protect you; collective attention protects the environment everyone shares. This part is not optional extra credit — it is how the rules you will live under five years from now actually get decided.

  • Stay accurately informed, and distinguish what is law from what is merely proposed, so your response is proportionate.
  • Engage with consultations, petitions, and your elected representatives on measures that are still open.
  • Support organisations that scrutinise surveillance and defend digital rights and a free press.
  • Defend the legitimacy of privacy tools and strong encryption in ordinary conversation, since public understanding shapes what is politically possible.
  • Support independent, privacy-respecting services, whose survival is not guaranteed under the current regime.

Staying lawful, and staying calm

Two closing reminders. First, everything recommended here is lawful in the UK as of this writing: protecting your privacy, using encryption and VPNs, minimising disclosure, and declining optional schemes are all legitimate. This guide does not advise breaking the law, both because that is the right line and because it is where you put yourself at real risk. Where a measure is mandatory, the advice is to comply and minimise, not to evade. The ethics of this are discussed in 16.11.

Second, keep your composure. The point of this chapter is not to frighten you into withdrawal but to equip you to act sensibly and to participate in the public argument from a position of understanding. Adopt the baseline, follow the specific steps that fit your situation, stay informed, and get on with your life. Privacy is not about having something to hide; it is about retaining the ordinary room for thought, error, and expression that a free society depends on. Defending it, calmly and lawfully, is the whole purpose of this guide — and the rest of it, from Chapter 1 onward, fills in the detail behind every step summarised here.