After the secon phase of implementation of the UK’s so-called Online Safety Act, VPNs will be effectively made illegal - as it will be impossible for customers to use VPNs without uploading photo ID/ID documents, which the likes of Norton will be required to obtain and store. Resulting in zero privacy - the annulment of the “private” aspect of the network. Anyone so naive as to believe this data will not be used by both the “State” and service-providers such as Mircrosoft, Apple and Norton themselves, to, in intricate detail, track individuals’ web traffic, and block/censor sites and search-terms, and harrass and abuse individuals, is in themself a threat-to/abuser-of humanity in general.
How can we regard Norton as anything other than a threat-to/abusers of humanity in general when they have not publically spelled out in detail how they will - as morally, they must - refuse to comply with this law, and fight on all fronts to destroy both this law and the amoral subhuman monsters who advocated and/or wrote it?
The second phase of implementation of the UK’s Online Safety Act focuses on child safety and includes duties related to protecting children from harmful content (both illegal and legal but harmful).
Key aspects of Phase 2, which has been phased in during 2025, include:
Child Safety Duties: Services that are likely to be accessed by children must conduct a children’s access assessment and, subsequently, a children’s risk assessment to identify and mitigate risks of harm to children.
Harmful Content: Platforms are required to implement measures to prevent children from encountering “primary priority” content, such as pornography, and content promoting suicide, self-harm, and eating disorders.
Age Assurance: In-scope services must implement “highly effective” age assurance measures to verify users’ ages and restrict access for minors to age-inappropriate content.
Codes of Practice and Guidance: Ofcom, the UK’s online safety regulator, has published detailed guidance and codes of practice, such as the Protection of Children Codes of Practice and guidance on children’s risk assessments, which services must follow or use equivalent measures.
By late July 2025, in-scope services were required to have completed their children’s risk assessments and implemented the necessary safety measures. This followed the first phase, which focused on tackling illegal content for all users. The third phase, involving additional duties for the largest “categorized” services, is expected to come into force in 2026.
=============================================
The second phase of the UK’s Online Safety Act (OSA) does not make VPNs (Virtual Private Networks) illegal. The use of VPNs for adults remains legal in the UK, as they serve many legitimate purposes such as remote work, cybersecurity, and general privacy.
The core of Phase 2 involves placing a duty of care on online platforms to implement robust age verification for content that is harmful to children, such as pornography or material promoting self-harm. The law’s requirements are on the websites and platforms, not individual users.
While the Act has led to a significant surge in VPN use as adults seek to bypass the new age verification measures, the UK government has explicitly stated there are no current plans to ban VPNs.
Key points:
VPNs are legal: It is legal for individuals in the UK to use a VPN.
Focus on Platforms: The Act requires platforms to take reasonable steps to prevent children from accessing inappropriate content and to implement highly effective age verification.
No user offense: It is not an offense for a user to employ a VPN to circumvent age checks, although it may violate a service’s terms of service.
Government position: UK officials have acknowledged the increased use of VPNs but maintain they have no plans to issue a blanket ban. They do, however, penalize platforms that promote VPNs as a way for children to bypass safety protections.
Ongoing debate: There are ongoing discussions and some pressure from certain groups (such as some cross-party Lords and the Children’s Commissioner) to address the “loophole” that VPNs present to the age restrictions, but no legislation has made them illegal.
The assertion that the UK’s Online Safety Act (OSA) will make VPNs illegal or force providers like Norton to implement mandatory photo ID uploads for all users is incorrect.
The Online Safety Act and VPNs
VPNs are not banned: The use of VPNs is legal in the UK, and the Online Safety Act does not change this. The UK government has explicitly stated it has no plans to ban VPNs, recognizing their many legitimate business and privacy uses.
Age Verification Requirements: The Act places duties on online platforms (such as social media, search engines, and adult content sites) to implement “highly effective” age verification or age assurance methods for UK users to prevent children from accessing harmful material.
Verification Methods: These platforms may use various methods to verify age, including requesting government-issued ID, facial age estimation from a selfie, or credit card checks. These data collection requirements are the reason many adults in the UK have started using VPNs to bypass these checks and protect their privacy.
Focus is on Platforms, not Users/VPN Providers (for now): The legal obligations and potential fines are directed at the platforms hosting the content, not individual users of VPNs. However, the government is monitoring circumvention techniques and has warned that platforms that actively promote the use of VPNs as a workaround could face enforcement action.
Potential Future Amendments: While a general ban on VPNs is not being considered, there have been proposals and debates in the House of Lords to amend the Children’s Wellbeing and Schools bill to ban children (under 18s) from using VPN services. This potential amendment would likely require age checks for VPN providers themselves, a move strongly opposed by privacy advocates.
Norton’s Position
VPN providers like Norton, and others operate with a no-logs policy, meaning they do not store user activity or personal data that could be used for tracking or identification. If a law similar to the one you described were to be enacted and enforced on VPN providers, it would contradict this fundamental aspect of VPN technology. In similar past situations (e.g., in India), leading VPN providers chose to remove their physical servers from the region rather than comply with data logging mandates.
Regarding Norton’s public stance, they, along with other providers and digital rights groups, have not made specific detailed public commitments to “fight on all fronts to destroy” the law, but have highlighted the privacy concerns associated with the OSA’s age verification requirements and the surge in VPN usage as a response to those concerns.
Gen Digital (Norton’s parent company) has not issued a specific official statement regarding the UK’s Online Safety Act, but it maintains a clear and strong public stance on its commitment to user privacy and its strict no-log VPN policy.
Key aspects of Norton’s official position, as detailed in its public privacy notices and blog posts, include:
Strict No-Log Policy: Norton emphasizes that it does not log user activity, including browsing history, DNS queries, or originating IP addresses. This means they do not have data on what websites a user visits or for how long.
Minimal Data Collection: The company states it only collects the minimum necessary data to provide and improve the service (e.g., email address for account creation).
Independent Audits: Norton’s no-log policy has been independently audited by third parties, such as VerSprite, which confirmed its practices and rated its privacy impact as “None”.
Transparency Reports: The company publishes a Transparency Report detailing government or law enforcement requests for user data. In these reports, they state that due to their no-log policy, they have no information to share in response to such requests.
Commitment to Compliance Without Compromise: Their official statements suggest they believe their VPN can remain legally compliant while still adhering to a strict no-log policy, as there is simply no activity data to share.
Response to Data Retention Laws: A support article confirms that the Norton VPN feature is no longer available for use within India “as a result of governmental regulations requiring the logging and saving of user data”. This action demonstrates their commitment to prioritizing their no-log policy over operating in jurisdictions with mandatory data retention laws.
In summary, while there is no specific statement on the UK Online Safety Act, Norton’s official materials strongly indicate a commitment to protecting user privacy through technical and policy measures. Their actions in other regions, like India, suggest they would likely cease operations in a jurisdiction rather than implement the type of mandatory ID/data logging you described.
The Electronic Frontier Foundation (EFF) has extensively criticized the UK’s Online Safety Act (OSA), arguing it poses a severe threat to online privacy and free expression. A key development has been a surge in UK citizens using VPNs (Virtual Private Networks) to bypass the age verification requirements mandated by the new law, which has in turn led to some politicians considering a ban on VPNs.
EFF’s Position on the Online Safety Act and VPNs
Opposition to Age Verification: The EFF fundamentally opposes age verification mandates, arguing they create a “sprawling surveillance regime” and expose users to significant data breach risks. They contend that these laws do not effectively protect children but rather lead to censorship and algorithmic discrimination.
Defense of VPNs: The EFF actively defends the use of VPNs as legitimate tools for protecting privacy and circumventing censorship. They have warned that attempts to ban VPNs, often linked to efforts to enforce age-gating, are a “privacy nightmare” and an “authoritarian control on accessing information”.
Advocacy Efforts: The organization has joined with other civil liberties groups, such as the Open Rights Group and Big Brother Watch, to brief UK politicians and urge them to repeal or reform the Online Safety Act.
The Situation in the UK
Increased VPN Usage: Following the implementation of age checks under the OSA in mid-2025, VPN apps became the most downloaded on Apple’s App Store in the UK, indicating a clear public desire to avoid the new restrictions.
Government Response: While VPNs are currently legal in the UK, some government figures have suggested a ban might be necessary to prevent users from bypassing age verification. The government has stated it has no plans to repeal the OSA and is working with the regulator, Ofcom, on implementation.
EFF Guidance on VPNs: The EFF provides a comprehensive guide on choosing a VPN that’s right for you, emphasizing that while VPNs can enhance privacy, users should select reputable, paid services, as free VPNs often collect personal data.
The Electronic Frontier Foundation (EFF) has raised several significant privacy concerns regarding the UK’s age verification laws, primarily focusing on the creation of extensive surveillance systems and the heightened risk of data breaches.
Key privacy risks highlighted by the EFF include:
Creation of “Data Honeypots”: The laws force numerous websites to collect and store vast amounts of sensitive personal information, such as government IDs and biometric data. These centralized databases become prime targets (“honeypots”) for hackers, which significantly increases the risk of large-scale data breaches, identity theft, and fraud.
Destruction of Anonymity: Requiring users to link their real-world identity to their online activities effectively eradicates online anonymity. This makes it possible to create a permanent, detailed record of a person’s browsing habits and content consumption, which could be used for surveillance by governments, law enforcement, or data brokers.
Vulnerability for Marginalized Groups: The loss of anonymity is particularly dangerous for vulnerable individuals, such as domestic abuse survivors, journalists, activists, and LGBTQ+ youth who may rely on online anonymity to seek support or information safely.
Third-Party Data Sharing: Age verification often involves users submitting their data to third-party verification companies, not just the website itself. Users have little control over how these multiple entities store, use, or further share their personal information, raising concerns about questionable privacy policies and potential misuse.
Biometric Data Collection: Many age verification and estimation systems rely on the collection of biometric data, such as facial scans. This normalizes pervasive biometric surveillance and creates infrastructure that could easily be repurposed for more invasive tracking in the future.
Algorithmic Discrimination: Age estimation technologies, particularly those using facial recognition, have been shown to be less accurate for people of color and transgender individuals. This can lead to discriminatory outcomes and effectively block marginalized communities from accessing online spaces.
The EFF argues that these methods do not effectively protect children but rather create significant risks for all internet users, warning that good intentions do not eliminate the serious, real-world harms to privacy and security. For more information on the dangers of age verification, see the EFF’s Age Verification Resource Hub.
EFF, Open Rights Group, Big Brother Watch, and Index on Censorship Call on UK Government to Reform or Repeal Online Safety Act By Paige Collings December 15, 2025 here
==========================================
The UK’s Online Safety Act (OSA) is a landmark piece of legislation that imposes a legal “duty of care” on online service providers to protect users, particularly children, from illegal and harmful content. Enacted in October 2023, the Act is regulated and enforced by the UK’s communications regulator, Ofcom.
Key Objectives and Provisions
The primary goal of the OSA is to make the UK “the safest place in the world to be online”. It shifts the responsibility for user safety from the user to the online platforms themselves.
Tackling Illegal Content: All in-scope services must conduct risk assessments and proactively take robust action to prevent and remove a wide range of illegal content, including child sexual abuse material (CSAM), terrorism content, fraud, hate crimes, and content promoting self-harm or suicide.
Protecting Children: Platforms “likely to be accessed by children” face stricter requirements. This includes using “highly effective age assurance” (such as age verification or estimation) to prevent children from accessing primary priority content like pornography and to provide age-appropriate experiences for other types of harmful material (e.g., bullying or violent content).
Empowering Adult Users: For legal but potentially harmful content, the Act gives adult users greater control over what they see and interact with through optional filtering and blocking tools.
Transparency and Accountability: The largest and highest-risk platforms (categorized services) are required to publish regular transparency reports detailing their safety measures and enforcement actions, and to provide clear user reporting and redress mechanisms.
Extraterritorial Scope: The Act applies to any online service with a significant number of UK users or that targets the UK market, regardless of where the company is based.
Enforcement and Penalties
Ofcom is granted extensive powers to enforce compliance, including:
Substantial Fines: Companies can be fined up to £18 million or 10% of their annual global turnover, whichever is greater.
Criminal Liability: In serious cases of non-compliance with information requests or child safety duties, senior managers may face criminal charges and up to two years in prison.
Service Restrictions: In extreme circumstances, Ofcom can seek court orders to force internet service providers to block access to non-compliant websites in the UK.
The implementation of the Act is occurring in phases, with duties regarding illegal content and child safety already in force or expected to be fully in effect by mid-to-late 2025. The specific codes of practice and guidance for compliance are published by Ofcom on its website https://www.ofcom.org.uk/.
===============================
Norton is not fighting the UK’s Online Safety Act through public campaigns or litigation because, as a security software and VPN provider, its services are generally complementary to, or operate within the framework of, existing laws, and it does not have the same user-generated content liabilities as social media or content platforms. Unlike platforms such as Wikipedia or social media giants who face direct regulatory burdens and legal challenges, Norton’s business model is not fundamentally threatened by the Act’s core requirements.
Key points related to Norton and the Act:
VPN Legality and Use The use of VPNs is legal in the UK. In fact, interest in and downloads of VPNs, including those offered by companies like Norton, surged following the Act’s implementation, as users sought to bypass the new age verification checks.
Business Model Alignment Norton provides cybersecurity and privacy tools. The Online Safety Act aims to enforce laws and protect children, which is not in direct conflict with Norton’s stated purpose of providing online security.
Lack of Direct Liability The primary targets of the Act are large platforms hosting user-generated content and pornography sites, which are required to implement robust age verification or content moderation systems. Norton does not operate such platforms and is not subject to the same compliance challenges or risk of massive fines for hosting harmful content.
Third-Party Concerns Critics of the Act argue it drives users toward less regulated, riskier online spaces and creates data privacy concerns with third-party age verification services, which inadvertently highlights the value of the security and privacy solutions (like VPNs) that Norton offers.
Regulatory Focus The government and regulator (Ofcom) are focused on making content providers and social media giants comply. There have been no government plans to ban VPNs, despite some calls from certain MPs to do so, thus Norton’s core services remain unaffected by such prohibitions.
While other large tech companies like X and Wikipedia are launching legal challenges or considering blocking UK users, Norton has not been a party to these public disputes because its business is not under the same existential threat from the legislation.
VPN providers view the UK’s Online Safety Act as a driver of business due to a surge in demand from users seeking privacy and to bypass age verification, but industry groups and privacy advocates oppose the potential for government overreach or restrictions on VPN usage.
Surge in Demand: VPN providers reported spikes in UK sign-ups when the age verification measures came into force. This indicates that the Act, in practice, has increased the perceived value and necessity of VPN services for many users.
Emphasis on Legality and Privacy: Providers consistently highlight that VPNs are a legal means to protect privacy and security online, used for legitimate purposes such as secure remote work and general anonymity. They stress their no-logs policies, arguing that this is fundamental to their service and makes user activity data unavailable even if requested by authorities.
Opposition to Restrictions: Industry groups, such as the VPN Guild, and privacy advocates like the Open Rights Group, argue that any attempt to restrict or ban VPNs would have damaging consequences for cybersecurity, freedom of expression, and privacy. They oppose potential government ideas of requiring age checks for VPNs or using intrusive traffic analysis (deep packet inspection).
Focus on the Act’s Flaws: The industry position generally is that the Act is flawed because it drives users toward less regulated online spaces and creates data privacy risks with third-party age verification services, rather than effectively protecting children who can often find other circumvention methods.
Compliance is not an issue: As the Act primarily targets content platforms and pornography sites, not the VPN infrastructure itself, providers can remain compliant with existing laws while continuing to offer their services. The onus to prevent children from accessing content is on the platforms, not the network providers.
VPN providers have not fought the Act directly through legal action because their services remain legal and in high demand, but they and their associated advocates publicly critique the Act’s privacy implications and oppose any future attempts by the UK government to regulate or ban VPN usage.
=====================================
Ofcom has stated it is monitoring the use of VPNs to evaluate the effectiveness of the Online Safety Act’s age verification measures, and has indicated it is considering “further action” in the future, but has not publicly supported a complete ban.
Key aspects of Ofcom’s position:
Monitoring VPN Usage: Ofcom is using third-party tools to monitor the general trends of VPN use in the UK to understand if people, particularly children, are effectively bypassing the new age restrictions.
Discouraging Circumvention: The regulator has cautioned against using VPNs to get around the Act’s age verification, stating that platforms should not host content that encourages such behavior.
Focus on Content Platforms, not VPNs (Currently): The current enforcement action is focused on the platforms and pornography sites themselves, ensuring they implement “highly effective” age assurance.
“Further Action” Possible: Ofcom has confirmed it is gathering more evidence, including engaging with youth panels and surveying families, to “guide thinking and decisions about whether there is a need for further action in this area”.
No Current Ban Plans: A UK government minister stated in the House of Lords that while “nothing is off the table,” there are “no current plans to ban the use of VPNs” due to their many legitimate uses (e.g., for business security).
Parental Responsibility: Ofcom also emphasizes the role of parental controls and encouraging conversations with children about online safety as an important part of the solution.
Ofcom’s official stance is to gather data and monitor the situation closely, leaving the door open for potential future regulations on VPNs if they are found to be significantly undermining the Act’s child protection goals.
@GROW-PING Simply stated, Norton, as other companies, are required to comply with the laws within those countries to do business in that country. Service providers and governmental restrictions are the catch 22 firewall the citizen/customer has to deal with since their data passes through the ISP long before it reaches the services of any VPN. Software providers cannot and won’t become political, nor advocate otherwise. Directing complaints to your local/regional government is the appropriate avenue to proceed with.