The Online Safety Act sets out to make the internet safer, especially for teenagers. But its design misreads the nature of the system it’s trying to regulate. The result is legislation that’s ill-equipped for the scale, architecture, and behaviour it’s up against.
Last week, millions of UK internet users logged on and found things… different. Age checks. Login prompts. Content warnings where there were none before. Platforms adjusting their systems. Users finding ways round them just as quickly.
It’s all part of the UK’s Online Safety Act; legislation passed in 2023 by the Conservative government and now being phased in by Ofcom. Its aim is to protect children from exposure to material linked to pornography, self-harm, eating disorders, and suicide.
The case for intervention has been building for years. Campaigners, parents, and policymakers have all pushed for tighter controls, particularly after the tragic death of Molly Russell in 2017 and the evidence that she had been served a stream of graphic, harmful content in the lead-up to her taking her own life.
Within days of the Act taking effect however, VPN downloads surged. These tools (virtual private networks) allow users to mask their location and browse as if they’re in another country, bypassing restrictions in the process.
In other words, users adapted. Instantly.
It’s a striking misjudgement of online behaviour. The Act places responsibility on platforms and providers whilst assuming the other side of the equation is static – that users will simply conform. That assumption doesn’t hold. Especially when the user base grew up online.
Today’s teenagers are the most digitally fluent generation in history. They are experts in proxies, incognito modes, burner accounts, DNS settings, and how to game a recommendation algorithm. They know how the internet works and intuitively move through it in ways regulators don’t understand. Trying to legislate their access through surface-level age restrictions is like locking the front door whilst leaving the windows open, and assuming the kids won’t notice. They will.
The government’s answer, so far, is to threaten penalties for services that ‘signpost’ workarounds like VPNs. But the law still can’t stop anyone from using them.
The Act also ignores the sheer scale of what’s being attempted. 34 million videos are uploaded to TikTok every day. Add YouTube, Instagram, X, and everything else, and you start to grasp the magnitude. No regulator, however well resourced, can meaningfully monitor or moderate that volume.
Ofcom has been clear-eyed about this. It knows the scale. It knows the gaps. It knows that effective content regulation at internet-level is, at best, structurally difficult. At worst however, it’s totally unworkable.
Moderation is made harder by the fact the internet doesn’t operate within fixed borders. In fact, from a user’s point of view, geography barely exists online. Content moves across servers, platforms, and jurisdictions in ways no single regulator can meaningfully track, let alone control. And with VPNs, users can do this too.
But the real problem isn’t digitally native teenagers, open borders, or the sheer volume of content. It’s that social media feeds favour content that ‘performs’, and what ‘performs’ is often what harms. The risk isn’t simply at the point of contact. It’s built in higher up.
Platforms are not neutral hosts. They are built to maximise engagement (and therefore commercial value) by recommending, ranking, and amplifying content that keeps users scrolling. Moderation is treated as a liability, not a feature. The result is a system optimised for scale, speed, and attention, fundamentally at odds with efforts to slow, scrutinise, or control what circulates within it.
There’s clear evidence of how this plays out. The very material the Act is designed to restrict – violent, sexual, misogynistic etc. – is often exactly what algorithms promote, because it provokes strong reactions and keeps users online. A 2024 UCL study found that TikTok’s ‘For You’ page increased teenage exposure to misogynistic and extreme content fourfold, from 13% to 56% in just five days.
There’s a direct conflict at hand. The Act aims to block harmful content from reaching children, while the system underneath is designed to spread it. Throw in the fact that most teenagers can navigate VPNs, spoof age checks, and sidestep legislation faster than regulators can write it, and the gap between policy and reality becomes hard to ignore.
It’s worth noting that another (much louder) criticism has come from many on the libertarian right, who have been quick to frame the Act as dystopian governmental overreach. Nigel Farage sees state suppression of speech. Zia Yusuf says it would make Xi Jinping blush. Elon Musk, Trump, and Tommy Robinson have all chimed in.
The debate has curdled into a binary that pits free speech against child safety. Jess Phillips, writing in The Times, claimed that repealing the Act, as Reform UK have said they would, is tantamount to enabling “modern day Jimmy Saviles”. The provocation landed.
In all the political noise, the perspectives of safeguarding professionals – those closest to the realities of online harm – have been largely sidelined. They had little say in shaping the Act. And good intentions aside, that absence leaves the policy once again without the footing it needs to hold up in practice.
Reducing harm means shifting focus – both upstream, to the algorithmic incentives that amplify extreme content, and downstream, to the people trained to deal with it in the real world. We need teeth at the top, and capacity at the bottom. Right now, we have neither. Platforms still optimise for attention. Safeguarding professionals remain at arm’s length. And the law continues to treat harm as a user-level problem, not a system-level outcome.
Policy that misunderstands the machine it’s trying to steer will always be outrun by it. Only well-informed, technically grounded, and brutally honest policymaking stands a chance. And even then, the odds are long.
Blog