Practical Privacy, Security, and Speech Guide
A field guide to modern privacy, security, and freedom of speech.

17. UK digital restrictions and government overreach

Surveillance camera against a grey sky
Rules introduced for safety reshape what ordinary use looks like.

Why this chapter exists

The rest of this guide is largely timeless. The way encryption works, the reasons compartmentalisation helps, and the limits of a VPN do not change much from one year to the next. This chapter is different. It describes a specific moment in the United Kingdom, when a cluster of laws, regulations, and proposals began to change the everyday relationship between a person and the internet. The details will date. The direction of travel, and the way to think about it, will not.

Over a short period the UK has moved from a country where you could read, watch, and speak online without proving who you were, to one where identity, age, and location are increasingly demanded before you are allowed to do ordinary things. None of this arrived as a single dramatic announcement. It came as a series of reasonable-sounding measures, each justified by child safety, fraud prevention, or national security, and each adding a new place where you must identify yourself or be checked. The cumulative effect is larger than any single measure, and that is the part most easily missed.

This chapter is not a campaign and it is not legal advice. Its purpose is to set out, plainly and accurately, what is being introduced or threatened, why it matters for privacy and free expression, and what an ordinary person can sensibly do in response. Some of these measures are already law. Some are live proposals. Some are floated by politicians and may never happen. The page on each topic says clearly which is which, because the right response to a settled law is different from the right response to a trial balloon.

What is actually happening

Layers where identity and access checks accumulate.
Each measure adds a checkpoint; together they form a stack.

It helps to see the separate measures as parts of one system rather than as isolated stories. Read together, they describe a structure in which more of online life is gated behind a check, and more of those checks are tied to a verified, real-world identity. The sections below summarise each strand; the dedicated pages that follow go into the detail.

The Online Safety Act as the engine

The Online Safety Act 2023 is the legal engine behind much of what follows. It places duties on online services to assess and reduce the risk of illegal and harmful content, and it gives the regulator, Ofcom, broad powers to write codes of practice, demand information, and levy very large fines. Most of the visible consequences of 2025 — age checks on adult sites, removals of content, the retreat of some smaller forums — flow from how this Act is being implemented. It is covered in detail in 17.1.

Age checks everywhere

From mid-2025, services that allow pornography or other content judged harmful to children have been required to use what the law calls "highly effective age assurance". In practice this means uploading identity documents, submitting to a face scan that estimates your age, or handing verification to a third-party company. What began with adult sites is spreading to other platforms, and the technical machinery built for it can be pointed at almost anything. This is covered in 17.2.

A national digital identity

Separately, the government has been building the components of a national digital identity: a single sign-on for government services, a digital wallet to hold official credentials, digital driving licences, and a proposed mandatory digital ID intended initially to prove the right to work. Supporters present it as convenience and a tool against illegal employment. Critics see the foundations of a system in which a single credential is needed to participate in daily life. This is covered in 17.3.

Pressure on encryption

At the same time, the legal pressure on end-to-end encryption has intensified. Under powers in the Investigatory Powers Act, the government has issued secret notices to technology companies, and in 2025 one such demand led a major manufacturer to withdraw an encrypted backup feature from the UK rather than weaken it everywhere. The Online Safety Act also contains a power that could, in principle, require encrypted messaging services to scan messages. This is covered in 17.5.

VPNs and the circumvention question

When age checks arrived, VPN use in the UK rose sharply, because a VPN makes a connection appear to originate elsewhere and so sidesteps a location-based check. That visible surge prompted politicians to ask aloud whether VPNs should themselves be restricted. No ban exists, and a comprehensive one would be very hard to enforce, but the fact that it is now discussed at all marks a shift. This is covered in 17.4.

Age limits for social media

Following Australia's move to bar under-16s from social media, ministers in the UK have signalled interest in similar restrictions, alongside ideas such as app curfews and limits on smartphone use by children. These are proposals rather than law, but they would, if introduced, require platforms to know the age — and therefore something about the identity — of every user, not only children. This is covered in 17.6.

The common thread: identity attached to everything

The single most useful idea in this chapter is that these measures share a direction. Each one, on its own terms, is about safety or fairness. But each one also has the effect of attaching a verified identity to an activity that used to be anonymous or pseudonymous: reading, watching, speaking, working, proving your age. Once identity is attached at one point, it becomes easier to attach it at the next, because the infrastructure and the public habit already exist.

This is why the cumulative picture matters more than any single rule. An age check on an adult site, taken alone, affects a narrow activity. A digital wallet, taken alone, is a convenience. A power to scan messages, taken alone, is aimed at the worst crimes. But a society in which you routinely prove who you are to read, to speak, to work, and to receive services is a different society from one in which you do not, regardless of how benign each individual step was. The value of privacy is not that any one disclosure is catastrophic; it is that the absence of routine identification leaves room for ordinary life, dissent, and error.

It is also worth being honest about the genuine problems these measures respond to. Children do encounter material online that harms them. Fraud is real and devastating. Serious criminals do use encrypted channels. The argument in this chapter is not that these problems are imaginary, but that the chosen responses carry costs to everyone's privacy and freedom that are frequently understated, that fall hardest on the law-abiding, and that are difficult to reverse once the infrastructure is built. A measure can be well-intentioned and still be a poor trade.

How to read the rest of this chapter

Each page that follows is structured the same way. It explains what the measure is, distinguishes clearly between what is law and what is merely proposed, sets out the genuine privacy and free-expression concerns without exaggeration, and then offers practical, lawful responses. The aim throughout is to keep you accurately informed rather than alarmed, because fear leads to poor decisions and overstatement is easy to dismiss.

Nothing in this chapter encourages breaking the law. Several of the protective steps it describes — using a VPN, choosing encrypted messengers, minimising the personal data you hand over, declining optional identity schemes — are entirely legal in the UK today. Where a measure is mandatory, the chapter says so, and focuses on reducing the data you expose rather than on evasion. The distinction matters, both ethically and for your own safety, and it is discussed throughout the rest of the guide, particularly in Chapter 16 on freedom of speech and Chapter 1 on threat modelling.

The practical responses are gathered together in 17.7, so that if you read only one page after this one, it can be that. The others give the reasoning; the last gives the checklist.

Keeping perspective

It is easy, reading a chapter like this, to slide into either complacency or panic, and both are mistakes. Complacency says that none of this affects ordinary, law-abiding people, which ignores how often broad systems catch the innocent through error, breach, or mission creep. Panic says that the country has already become a surveillance state and nothing can be done, which is both inaccurate and paralysing. The truthful position sits between them: real powers and real infrastructure are being built quickly, public scrutiny has not kept pace, and individuals still have meaningful, lawful choices about how much they expose.

The UK remains a place with courts, a free press, elections, and a vocal civil society. Several of the measures described here have been challenged, delayed, or amended precisely because people noticed and objected. Staying informed is therefore not a counsel of despair but a precondition for that scrutiny to continue. The purpose of this chapter is to make you one of the people who has noticed, and to give you the means to act on it sensibly — for yourself, and as part of the wider public conversation about what kind of digital society the country chooses to build.