Record numbers download VPNs as Online Safety Act forces sites to check your age with credit card or passport

Proton VPN recorded an hourly spike exceeding 1,400% above its typical usage levels in the immediate aftermaths of the Online Safety Act rolling out across the UK. The Swiss provider leapfrogged ChatGPT to become the most-downloaded free app in Apple's App Store, which allows iPhone and iPad owners to install software.

• How VPNs are enabling UK users to avoid strict new 18+ age checks

It wasn't alone. The unprecedented demand has propelled VPN services on both Apple's UK App Store and Google Play Store, with half of the top 10 free applications being VPN software at the time of writing. One popular provider, NordVPN, stated it saw a 10x increase in subscriptions from Britons looking to avoid the mandatory age checks.

Reform UK's Sarah Pochin and Human Rights Campaigner Peter Tatchell go head-to-head in an intense clash over whether the Online Safety Act should be repealed 

The Online Safety Act requires any online platform that hosts adult content to implement robust age verification before it allows visitors access. If you attempt to visit, you must prove you're over 18 using one of the approved methods:

• Facial age estimation – Show your face via photo or video, and technology analyses it to estimate your age
• Open banking – Give permission for the age-check service to securely access information from your bank account information to assess whether you're over 18
• Digital identity services – Use a digital identity wallets, which can securely store and share information which proves your age in a digital format
• Credit card age checks – Provide your credit card details and a payment processor checks whether the card number is valid. As you must be over 18 to obtain a credit card, this immediately verifies you're over 18
• Email-based age estimation – Provide a valid email address, and technology analyses other online services where it has been used – such as banking or utility providers — to estimate your age
• Mobile network operator age checks – Grant permission for an age-check service to confirm whether or not your mobile phone number has age filters applied to it. If there are no restrictions, this confirms you are over 18
• Photo-ID matching – Upload an image of an official Government ID that includes your Date of Birth, like a driving licence or passport. You'll also need to upload an image of yourself – these are compared to confirm if the document is yours

Major platforms, like X (formerly Twitter), Reddit, Discord, Bluesky, and Grindr have implemented these checks. It's unsurprising that we're seeing such widespread uptake. Companies found avoiding these new rules can face penalties reaching as high as £18 million or 10% of total global revenue — with potential criminal proceedings against executives or senior management who ignore Ofcom's information requests.

The Online Safety Act targets multiple categories of content, which will now blocked by default for all unverified users:

• Pornographic and adult material
• Content promoting self-harm or suicide
• Eating disorder-related material
• Extreme violence or gore content
• Dangerous stunts and challenges
• Misogynistic or hateful content
• Online bullying material

Why the sudden spike in VPN usage in the wake of these strict age checks?

When you connect to a VPN, everything you do online is re-routed via the provider's servers. If you choose a VPN server in the same country, this serves as a way to encrypt and mask everything you do online, including the websites you visit, the amount of time spent on each service, and much more.

If you choose a server based in another country, VPNs can make it appear as if you're located outside of the UK — outside of the jurisdiction of the Online Safety Act.

• Microsoft culls VPN for millions of PC owners

By picking a VPN server in another country, websites can no longer detect you're browsing from within the UK, so the mandatory age checks and other restrictions imposed by Online Safety Act vanish.

This is no different to what would happen if you jumped on a plane on holiday and tried to login to any of these services from abroad. It's comparable to using a foreign phone box rather than your own mobile – the recipient can't identify your true location or identity.

• Popular VPN will send you £5,000 if your identity is stolen by cybercriminals

Once the domain of enterprise users, VPNs were already becoming more mainstream due to the security protections afforded by encrypting all of your internet traffic — keeping your location hidden from your broadband supplier, advertisers, and hackers.

However, the popularity of these apps has been supercharged by the Online Safety Act.

Google Trends data, which shows the popularity of Google searches, revealed that queries around "VPN" increased 10x at peak times over the weekend as Britons were confronted with the age verification checks for the first time. Searches for specific providers showed dramatic rises – NordVPN and Proton VPN experienced large increases, while Surfshark reported medium growth. Terms like "UK VPN" and "free VPN" also surged significantly on Google, data shows.

The sustained nature of these increases distinguishes them from typical short-term spikes. Proton VPN emphasised that unlike previous surges associated with civil unrest or protests, this uptick has remained consistently high since midnight on 25 July, indicating a fundamental shift in British internet usage patterns rather than a temporary reaction.

"We would normally associate these large spikes in sign-ups with major civil unrest," the VPN provider explained.

It's clear that concerns around sharing data with these new age checks is behind some of the skyrocketing interest in VPNs, with Britons worried that photos of passports, credit card numbers, or selfies being retained, used, or linked to other online activity on restricted websites.

LATEST DEVELOPMENTS

• Best VPN deals
• Google issues VPN warning to millions
• Slow broadband? Awesome upgrade costs just £17
• Hundreds of dodgy streaming sites BLOCKED in UK

The Tea app breach last week, which exposed thousands of verification selfies and photo IDs, exemplifies these dangers. Users fear becoming part of databases linking their identities to specific online activities, particularly given past breaches at major organisations like Marks & Spencer, The Co-Op, and even the Electoral Commission.

However, experts warn that some VPNs can also carry similar security and privacy risks, especially those offering all of the benefits of the service for free. Since there's no clear way to pay for the server costs, app development, and all of the other associated costs, it's likely the service is monetising data on your traffic or other means.

"Many of these free VPNs are riddled with issues," Daniel Card, a cyber-security expert with BCS, the Chartered Institute for IT, told the BBC. "Some act as traffic brokers for data harvesting firms, others are so poorly built they expose users to attacks."

A 2016 study discovered malware in 38% of analysed VPNs on Android, whilst threat analysts at CYFIRMA identified malicious software distributed through free VPNs on GitHub a few months ago. Hola VPN, which describes itself as a "fast, secure, and reliable" Virtual Private Network explicitly states in its Terms and Conditions that its sister company — Bright Data — will be able to sell free users' residential IPs as proxy servers.

Another popular choice, FreeVPN.org, which is currently topping download charts, lacks any physical address and provides minimal privacy documentation. Hotspot Shield faced complaints in the United States a few years ago over claims it shared personally identifiable information with advertisers.

Graeme Stewart, Head of Public Sector at Check Point Software, warns that the current approach has created a dangerous mix of poor security, overreach, and a growing erosion of public trust. He told GB News: "The Government’s attempt to regulate online harm has backfired spectacularly. In trying to stop children seeing harmful content, they’ve driven tens — maybe hundreds — of thousands of people to adopt tools that make lawful interception near-impossible.

"Worse still, they’ve outsourced enforcement to unaccountable third parties, relying on fragmented databases that offer no guarantee of security, legitimacy, or transparency. Evidence is already emerging of fake Google and ChatGPT-generated IDs being accepted.

"From a cybersecurity perspective, this is last-century thinking. And here’s the kicker: by using a VPN to protect yourself, you now risk being flagged as a person of interest. You can’t claim to protect privacy while handing people’s most sensitive data to unregulated vendors.

"People are turning to VPNs because they don’t trust the system, and who can blame them? These are the same tools protecting journalists, whistleblowers, and citizens from surveillance and abuse."

Opposition to the legislation is mounting rapidly, with a petition demanding the Act's repeal gathering over 340,000 signatures within days of implementation.

Created by Alex Baynham, founder of the Build party, the petition argues Parliament should "repeal the act and work towards producing proportionate legislation rather than risking clamping down on civil society."

Having crossed the 100,000-signature threshold, the petition must now be considered for parliamentary debate. Baynham urges concerned citizens to contact their MPs, explain their specific objections, and ensure representation at any forthcoming debate before the October 22 deadline.

"We believe that the scope of the Online Safety Act is far broader and restrictive than is necessary in a free society," the petition states, warning the legislation risks restricting discussions about "trains, football, video games, or even hamsters because it can't deal with individual bad faith actors."