The Age Verification Arms Race Just Moved to Your Operating System

Last July, an X user called Dany Sterkhov pointed his phone at the photo mode of Death Stranding and fooled Discord’s age-verification system with Norman Reedus’s face. The character, hat and all, opened and closed his mouth exactly as the liveness test demanded. Access granted. The same trick worked on Reddit. It was absurd, and it was inevitable.

That stunt exposed why website-level age checks were always doomed. They swing between demanding government ID and relying on facial scans so flimsy a video-game avatar can beat them. Three weeks ago Apple ended the pretence. With iOS 26.4 the company rolled out device-level age verification for every UK user. No law forced its hand. Apple volunteered.

Apple volunteered to be the internet’s bouncer. The UK didn’t even ask.

Regulators are not inventing the problem. Algorithmic radicalisation, sextortion and the daily grind of online harm are real. The mistake is the chosen fix: turning the operating system itself into a permanent identity gate.

After updating to iOS 26.4, UK users see the prompt at the top of Settings: “Confirm You Are 18+.” Apple first attempts to confirm your age automatically using information associated with your existing Apple Account, including whether you have a credit card on file or how long you have had the account. If that fails, you can add a credit card (debit cards and gift cards are ineligible). Or you can scan a driving licence or other government-issued ID. UK passports are not accepted; a US passport Digital ID in Apple Wallet works in America but not here.

Decline or fail to verify and Apple automatically turns on Web Content Filter across Safari and every third-party browser while enabling Communication Safety. The latter runs entirely on-device with local machine-learning models; it scans Messages, shared albums, AirDrop and FaceTime for nudity and fires off warnings before anything is sent or received. These restrictions hit every unverified account, child or adult. Even though the scanning never leaves your phone, the operating system has decided you cannot be trusted with unfiltered hardware.

Apple’s own support pages spell it out plainly. The company was under no legal obligation. The Online Safety Act targets websites and apps, not operating systems or app stores. Ofcom still praised the move as “a real win for children and families”. Apple chose to position itself ahead of regulators, and the regulators clapped.

The escalation is mechanical

Stage one was website-level checks. Discord used k-ID facial scans (after dropping Persona, following a swift and loud controversy). Reddit used Persona too. Each service built its own database and its own data target. Pornhub reported a 77 per cent drop in UK traffic after enforcement began last July, yet the bypass stories multiplied. The Death Stranding episode was only the most visible. Reddit started demanding age verification even for a hard-cider discussion board. Small forums (from cycling groups on LFGSS, sustainable-living sites, to the odd hamster-keeping community) either shut down for UK users or blocked them entirely rather than shoulder the compliance cost.

Stage two is device-level. One verification, persistent and structural. The check binds identity to the hardware. The operating system becomes the chokepoint. The loophole does not merely shrink; it moves inside the device you own.

Stage three is already on the table. If the device knows who you are and how old you are, VPNs become the remaining bypass vector. The House of Lords voted 207 to 159 in January to prohibit providers from offering services to under-18s. The government’s “Growing up in the online world consultation”, open until 26 May, asks outright whether children should be barred from VPNs, whether adults should face age checks to use one, and what that would mean for legitimate users. Each layer of verification simply creates the justification for the next.

The contagion is global

In the United States, California’s Digital Age Assurance Act, Utah and Louisiana’s app-store age signals, and Colorado’s modelled bill are forcing operating systems and app stores to act as identity brokers. Elsewhere, the approach is blunter. France, Australia and Indonesia have passed outright social-media age bans that will require the very same device-level hooks to enforce. Malaysia has announced plans for an under-16 ban but enforcement remains in the regulatory sandbox phase. In every jurisdiction the conversation turns, predictably, to VPNs as the last remaining loophole.

The privacy cost is structural

Every age-verification database is a target. Persona, used by Discord and Reddit, has drawn sharp criticism from the Open Rights Group over data use that stretches far beyond its stated purpose. Researchers (primarily vmfunc and collaborators) discovered roughly 2,500 frontend JavaScript files and source maps sitting wide open on a Google Cloud endpoint tied to a FedRAMP/government-linked setup. The Tea dating app breach last July exposed 72,000 personal IDs and user images in a single incident.

Apple’s device-level approach cuts down on repeated checks per service, but it creates one high-value persistent binding. Once that infrastructure exists it can be repurposed for location, nationality, or whatever else regulators decide matters next. The Electronic Frontier Foundation has warned that embedding age verification at the operating-system level leads to exactly this kind of mission creep: the same mechanisms can be extended far beyond their original purpose. The infrastructure creep is the point.

Requiring identity verification to use a VPN is the ultimate paradox. The tool exists to protect privacy. To get it you must first surrender the very data it is meant to shield. Cybersecurity experts have been saying for months that enforcement will never be watertight. Friendly providers might comply. Global ones in non-cooperative jurisdictions will not. The cat-and-mouse game starts immediately, and determined users will always win it.

Apple did not need to do this and should not have done it. The problem is not that the company wants to protect children. The problem is that it has built a piece of identity infrastructure that will be repurposed for purposes that have nothing to do with children, and it has done so voluntarily.

What you should do

The consultation window closes on 26 May. If you are in the UK and value an internet that does not require identity papers at the device level, flood it. Bureaucrats expect silence from the public and pushback only from tech lobbyists. The questions on VPN circumvention are there in black and white. Point out the legitimate uses: journalists protecting sources, vulnerable adults escaping domestic surveillance, anyone who simply wants basic privacy. Note that James Baker of the Open Rights Group has already said there is little evidence young people are using VPNs to bypass age checks in the first place.

On the practical side, Apple’s system is now live on every updated UK iPhone and iPad. If you have not verified and do not intend to hand over ID or a credit card, the restrictions are already biting. Downgrading the OS is not a long-term option. The infrastructure is here. The only remaining question is how far and how fast it spreads.

This is surveillance infrastructure dressed up as child protection. It will outlast the policy that justified it. VPN users, privacy-conscious adults, and anyone who remembers an open internet without identity gates should treat the next few weeks as the last practical moment to push back before the next layer locks in.