How Britain’s Online Safety Act Opens New Fronts for Espionage and Coercion

Britain’s Online Safety Act Is A National Security Disaster in the Making

The Online Safety Act creates a sprawling network of vulnerabilities that foreign adversaries can exploit - and the government can't be held accountable when it fails.

–

In 2015, the U.S. Office of Personnel Management (OPM) suffered one of the most damaging data breaches in modern history. Chinese state-linked hackers stole detailed security-clearance files on more than 22 million federal government employees, contractors, and others, including fingerprints, mental health records, and personal contacts. U.S. officials concluded that the breach enabled foreign intelligence agencies to identify undercover operatives, assess vulnerabilities, and potentially coerce spies and diplomats into providing sensitive information. 

Threats like this are already on the radar of Britain’s MI5 and the Intelligence and Security Committee of Parliament (ISC). The UK’s intelligence agencies have repeatedly warned that foreign states, particularly China, are targeting members of parliament, business leaders, and diplomats with kompromat campaigns. Speaking alongside former FBI Director Christopher Wray in July 2022, MI5 Director General Ken McCallum warned of ongoing espionage and hacking operations by China, describing Beijing as the “biggest long-term threat” to national security. 

In March 2024, Britain’s National Cyber Security Centre (NCSC) assessed that China-affiliated cyber actors specifically targeted parliamentarians during a campaign in 2021 led by APT31, a group tied to Chinese state intelligence. An Intelligence and Security Committee (ISC) report from July 2023 also concluded that China is aggressively targeting British politicians, civil servants, and military personnel as part of a “whole-of-state” interference campaign. 

Now, the UK is sleepwalking into a crisis with the potential to match or exceed the fallout of the OPM breach. The Online Safety Act of 2023 (OSA) potentiates an already escalating risk of blackmail and coercion of public officials by creating honeypots of sensitive data through the legislation’s newly enforced online age-verification provisions. And, this risk is compounded by a fragmented chain of data custody, inconsistent security standards across vendors, and the increased likelihood of phishing, spoofing, and metadata exploitation - each of which opens new pathways for sensitive information to be misused or exploited.

State-Mandated Age Verification Creates Exploitable Data Trails

As of July 2025, millions of British users seeking to access adult content online must now upload identifying information to prove their age. Though the Online Safety Act was passed in 2023, age-verification requirements only came into effect this summer following two years of technical consultations, regulatory guidance, and industry preparation. 

The measure is supported by a majority of Britons, despite years of controversy dating back to the 2017 Digital Economy Act, which first proposed mandatory age verification for adult content but was ultimately abandoned in 2019 due to technical and privacy concerns. But while the new law may appear to some as a straightforward measure to protect young people online, it carries profound and far-reaching consequences that British parliamentarians appear to be ignoring, and that the legislation itself makes no effort to address.

At the core of the risk is this: the OSA creates potentially traceable connections between a user’s identity and their online activity. In doing so, the legislation makes security-cleared officials, military personnel, police officers, regulators, journalists, diplomats, and politicians targets for malicious actors. The systems processing this information handle exactly the kind of sensitive material - passport images and biometric data - that hostile foreign states routinely seek to exploit to support espionage operations or to develop kompromat used to coerce or discredit high-value individuals.

For high-profile and influential individuals, a single compromise could expose not only private behavior or online habits, but personal relationships, vulnerabilities, and associations that adversaries could exploit to extract sensitive information or pressure individuals to act in the interests of foreign governments.

Decentralized Data Storage 

Crucially, the legislation offers no meaningful way to mitigate these threats - not necessarily due to a lack of foresight, but because the risks are inherent to the model the Act now enforces. The OSA does not establish a centralized government clearinghouse for age verification - a model that would itself pose significant risks. Instead, under the law, the burden of protecting user data has been placed entirely on individual web service providers, which may either build in-house tools or contract the process out to third-party vendors.

The result? Britain is not creating a single honeypot of sensitive data - as would be the case with a centralised system - but dozens or potentially hundreds. Each vendor becomes a separate point of vulnerability, and each age-verification system a potential weak link. Some providers may store no data at all, while others might retain it indefinitely - or inadvertently, through vulnerabilities that allow deleted data to be extracted via backdoors. Even temporary handling windows introduce exploitable openings. Alarmingly, if these vendors are headquartered overseas, they may also be legally compelled to share data with foreign governments.

Put simply, the OSA mandates the concentration of highly compromising personal information into decentralised and inconsistently protected silos. It is a systemic opening for espionage and coercion at scale that connects real-world identities with online behavior in ways intelligence services have long sought to exploit.

This kind of behavioural profiling already has precedent. The aforementioned 2015 OPM breach exposed deeply personal SF-86 background forms on more than 22 million federal employees—including mental health assessments, foreign contacts, and financial histories. Former Director of National Intelligence James Clapper described the breach as a “treasure trove of information” that could be used to map social and professional networks, and profile individuals with access to classified information for targeted recruitment or coercion.

With the OSA, Britain is laying the groundwork for a new form of coercion enabled by the tracking of real-time behavioural data connected to verified identities.

Researchers at RAND, a U.S.-based policy think tank, have already warned that today’s ubiquitous “ambient surveillance” systems - from smartphones and IoT devices to commercial data brokerage operations - are accelerating the use of coercive tactics like “doxfare,” in which personal data is stolen and weaponized. These systems, originally developed for benign or commercial uses, have effectively become large-scale behavioral monitoring networks that quietly capture granular information about individuals’ locations, habits, moods, connections, and social interactions. As researchers concluded in The Emerging Risk of Virtual Societal Warfare, “states and organizations have used access to such data for coercive purposes or competitive advantage.” 

The OSA institutionalises this kind of data collection, but in an even more intrusive form that is exceptionally valuable to foreign intelligence services. 

Additionally, the threats posed by the OSA do not necessarily hinge on malicious actors gaining access to full user activity logs. In many cases, metadata alone is enough. Hackers, particularly advanced persistent threat (APT) groups like APT31, do not require explicit records of what content was viewed. Timestamps, IP addresses, verification tokens, and device fingerprints may be cross-referenced to build a detailed behavioural profile. A ransomware gang or state-linked actor need not prove someone viewed specific media, when merely presenting enough metadata to imply it could be sufficient to compromise an individual. Even a partial pattern can be weaponized, especially if the target believes more data exists. 

Critically, the OSA creates more entry points for attackers by mandating identity-linked age verification without establishing baseline requirements for how vendors must store or secure user data. And, every additional silo increases the chance that one will be breached - or that a target will be tricked by a phishing campaign imitating a trusted verification prompt.

This exposes a deeper issue: users are often unaware of where their personal data is sent.

Because the OSA delegates responsibility to individual websites and service providers, each free to choose their own verification methods or contract outside vendors, the result is a fragmented ecosystem of age checks, data custody practices, and security standards. There is no fixed list of approved technologies. No technical oversight. No uniform protections. And while this decentralization might at first glance appear to improve user privacy by avoiding a centralized database, in practice it creates a totally disjointed system with uneven protections - impossible to monitor, difficult to secure, and dangerously susceptible to exploitation.

Conveniently, this model also insulates the government from blame. Few concerned about data privacy see the state as a reliable custodian, and officials know it. But while decentralisation may be easy to defend rhetorically, it quietly relieves the British government of operational risk and public accountability. Private vendors and platforms now burdened with this responsibility are already struggling under the weight of existing data protection laws, and now they are tasked with protecting a larger quantity of arguably more sensitive data.

Under this new model, every verification vendor becomes a potential point of failure. Some may retain user data indefinitely, even unintentionally, owing to software flaws, backdoors, or poor data hygiene. Others may store nothing. What’s more, some vendors may cooperate outside of UK jurisdiction altogether and could be compelled to hand data over to foreign governments through legal processes or find themselves targeted by cybercriminals seeking to exploit their infrastructure.

Phishing, User Vulnerability, and the New Normal

The new threats we face do not end with software vulnerabilities. Even as data exposure becomes the new normal, users have no consistent way of determining whether the verification portals they interact with are even legitimate - opening the door to new forms of phishing and spoofing campaigns. Malicious actors can now mimic real verification prompts, tricking users - both high-profile and otherwise - into voluntarily uploading ID documents, facial scans, and biometric data to fraudulent platforms. Over time, this routine disclosure may condition users to treat identity submission as normal, removing the natural scepticism that once protected people from freely giving away their most personal information. This is an entirely new vector of attack: not breaking into systems to steal data, but training people to hand it over themselves.

Ofcom’s own guidance acknowledges the risks but seeks to justify the system with a misleading comparison that equates online age verification to presenting ID for the purpose of purchasing alcohol or other age-restricted goods in a retail store. But this analogy collapses when one considers the fact that, in the UK, ID presented in a store is not uploaded to a remote server or retained by a third party. The transaction is transient. The OSA, by contrast, normalises the uploading of sensitive credentials - often to unknown companies that may store user data in undisclosed locations beyond the user’s knowledge or control.

And while vendors already claim verification methods like facial age estimation avoid human review or the permanent storage of data, they still require users to submit biometric information that can be intercepted, duplicated, or stored improperly. In a world of reverse image search, AI-powered facial recognition, and state-backed cyber operations, nobody is truly anonymous - and recognisable faces will be among the most attractive targets for hackers.

 According to Ofcom, acceptable forms of age verification include: 

• Facial age estimation (uploading a photograph or video for analysis) 

• Photo-ID matching (uploading photo ID and live facial images) 

• Banking checks 

• Credit card verification 

• Email-based estimation

• Mobile network operator confirmation 

• 
  

Ofcom also encourages the use of ‘highly effective’ age-verification methods, but leaves the selection and safeguarding of those systems entirely up to individual providers, offering no clear benchmarks or minimum technical standards outside of existing regulation.

The guidance itself also concedes the risks, advising users to “exercise a degree of caution and judgment when giving over personal information” and notes that responsibility for investigating and enforcing data protection falls to the Information Commissioner’s Office (ICO). In effect, the official guidance acknowledges that risks are real and ongoing, yet offers little in the way of concrete protections, standards, or enforcement mechanisms for preventing them in the first place.

The OSA also fails to mandate how long verification data should be stored, or whether it should be stored at all. Some vendors may keep data temporarily to support compliance or prevent fraud. Others may choose to retain nothing. 

Compliance with existing law is not a security guarantee. Mistakes happen. Breaches are increasingly common. Software will always have flaws. And determined adversaries do not consider foreign data laws an obstacle to stealing or weaponizing private information.

Even systems that employ temporary handling windows present opportunities for compromise, especially when the data is distributed across siloed platforms with inconsistent protections. Ticking the regulatory box does not prevent a breach, and the OSA provides no new recourse beyond existing data protection law—despite introducing a vast new array of vulnerabilities.

The Online Safety Act was sold as a child protection measure. In reality, it arguably presents the most serious online national security risk Britain has ever faced. By normalizing identity-linked verification online, the Act exposes millions of Britons to potential breaches - especially public officials, civil servants, and military personnel - at a time when British and American intelligence officials warn that China is actively building kompromat on Western officials. 

Coercion, blackmail, and data theft are inevitable consequences of the Act’s age verification provisions, yet the legislation establishes no central oversight and no new technical baselines for security. And when the first major breach is inevitably exposed, the government will have already shielded itself, having legislated its way out of both operational responsibility and political accountability.