UK VPN growth exposes identity verification gaps under OSA

At a glance

What this is: This is Fingerprint’s analysis of how UK VPN growth is complicating Online Safety Act compliance and age verification decisions.

Why it matters: It matters because IAM, fraud, and access teams must balance regulatory assurance with false-positive risk when legitimate users hide behind privacy tooling.

By the numbers:

• In the week following the release of that article, VPN detections in the European region increased by up to 30% compared with our regular traffic.
• Ofcom can issue fines up to £18 million or 10% of global annual turnover, whichever is higher, for non-compliance with the Online Safety Act.
• The July 25, 2025 deadline requires services that provide age-restricted content to verify that the user really meets age requirements before accessing the page.
• Fingerprint’s device identification API saw VPN detections rise by up to 30% in the European region, showing that users were actively browsing through privacy tools.

👉 Read Fingerprint’s analysis of UK VPN growth and Online Safety Act compliance

Context

The Online Safety Act has turned VPN usage into a governance problem, not just a privacy preference. For regulated and age-restricted services, the issue is whether access controls can still distinguish legitimate users from users trying to bypass verification without blocking the wrong audience.

Fingerprint’s article argues that broad VPN blocking creates a false sense of compliance because privacy tools are not inherently malicious. That makes this a useful case for IAM, fraud, and access teams that need stronger identity signals before making enforcement decisions.

Key questions

Q: How should security teams handle VPN users without blocking legitimate access?

A: Security teams should use VPN detection as a contextual risk signal, not as an automatic deny rule. Combine it with device reputation, geolocation consistency, and confidence scoring, then route uncertain sessions to step-up review. That approach preserves privacy for legitimate users while still giving compliance teams a defensible basis for enforcement.

Q: Why do VPNs make age verification harder to enforce?

A: VPNs obscure the network and location signals that many verification workflows rely on. If the service depends on weak contextual evidence, it can either block legitimate users or miss people trying to bypass controls. The answer is to strengthen the assurance chain, not to assume network origin is enough.

Q: What do teams get wrong about blocking VPN traffic?

A: Teams often confuse visibility with certainty. Detecting a VPN tells you that privacy tooling is in use, not why it is in use. A blanket block usually creates false positives and can damage trust, so the smarter approach is risk-based decisioning with clear escalation paths.

Q: Who is accountable when VPN-based access controls fail under the Online Safety Act?

A: Accountability sits with the organisation operating the service, especially where regulators can impose fines or demand stronger verification outcomes. The control failure is not the presence of VPN users, but the absence of a defensible decision process that can show how access was assessed and why it was allowed or denied.

Technical breakdown

VPN detection as a risk signal, not a verdict

VPN detection is a contextual indicator, not proof of intent. A service can see that traffic originates from a known VPN, but that alone does not tell you whether the user is evading age checks, protecting privacy, or connecting through a corporate network. Device intelligence works best when it combines multiple signals such as IP reputation, geolocation, timezone consistency, and confidence scoring. That matters because the same access pattern can be compliant, suspicious, or entirely normal depending on the service model and policy objective.

Practical implication: treat VPN signals as one input to a broader access decision, not as a standalone block condition.

Why age verification breaks under privacy tooling

Age verification assumes the service can reliably bind a user to a stable identity checkpoint before access is granted. VPNs weaken that assumption by masking location and network context, which can trigger either false blocks or missed abuse if the control set is too thin. This is less about VPNs being harmful and more about verification workflows that rely on weak environmental evidence. When the policy target is legal compliance, the control must be strong enough to support scrutiny and defensible enough to avoid sweeping in legitimate users.

Practical implication: strengthen the verification chain with higher-confidence signals before you deny access or escalate review.

Device intelligence and the compliance boundary

Device intelligence helps define the boundary between policy enforcement and user privacy. In this article’s model, the useful question is not whether a VPN exists, but whether the service has enough context to determine if further scrutiny is required. That is a familiar identity-governance problem: the organisation needs enough assurance to comply without collecting or acting on more data than necessary. The better the signal set, the less likely the service is to fall back to crude blanket restrictions that damage legitimate access.

Practical implication: build step-up review paths for uncertain cases instead of defaulting to blanket VPN exclusion.

NHI Mgmt Group analysis

VPN growth under regulatory pressure exposes an identity assurance gap, not just a filtering problem. The Online Safety Act creates a situation where services must prove who should be allowed through while users actively obscure the signals that access decisions depend on. The failure mode is overconfidence in network-origin checks that were never designed to support legal-grade verification. Practitioners should treat this as an identity assurance issue, not a network hygiene issue.

Blanket VPN blocking is a blunt control that converts uncertainty into avoidable false positives. Many users route traffic through VPNs for privacy, work, or basic security, which means a hard deny policy can punish legitimate access at scale. That is especially problematic when the business still needs to satisfy age or harm-related obligations. The real governance challenge is not whether VPNs exist, but whether the control model can distinguish suspicious concealment from normal privacy behaviour.

Age verification is only as strong as the contextual evidence behind it. If a service cannot evaluate device reputation, location consistency, and confidence across multiple signals, it is forced into weak binary decisions. That creates a compliance posture that looks strict but is operationally fragile. The implication is that regulatory access controls must be designed as layered assurance workflows, not as single-point checks.

VPN detection belongs inside a broader fraud and IAM decisioning layer. The best response is not to treat VPN usage as a ban trigger, but to feed it into step-up review, risk scoring, and exception handling. That approach aligns compliance with user experience and reduces the chance of blocking lawful users while still surfacing questionable sessions. Practitioners should therefore connect VPN signals to identity governance, not isolate them in security tooling alone.

Device intelligence is becoming the practical middle ground between privacy and enforceability. As privacy tools spread, organisations need contextual evidence that can stand up to scrutiny without assuming every hidden IP is malicious. The article’s 30% regional increase shows that the shift is already operational, not theoretical. Security and IAM teams should expect more controls to depend on probabilistic context rather than absolute identity certainty.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• VPN and identity-risk decisions are rarely isolated problems, so start with NHI Lifecycle Management Guide if you need the governance baseline behind access, rotation, and offboarding.

What this signals

VPN detection is becoming part of the broader identity assurance stack. As privacy tools scale, the practical issue is not whether a user is hidden, but whether the organisation can still make a defensible access decision. That pushes teams toward layered signals, audit trails, and stronger step-up logic rather than blunt network blocking.

Device intelligence will matter more wherever policy enforcement depends on context. The more a service must distinguish legitimate privacy behaviour from evasion, the more value it gets from correlating VPN use with location consistency and device confidence. That same pattern shows up in IAM and fraud operations, where certainty is rarely available from a single signal.

With 72% of organisations having experienced or suspecting a non-human identity breach, according to our 2024 ESG Report: Managing Non-Human Identities, the larger lesson is that identity decisions fail when teams rely on one weak control. The governance boundary is moving toward layered assurance, not isolated checkpoints.

For practitioners

• Treat VPN detection as a risk input Feed VPN signals into a broader decision engine that also considers device reputation, geolocation consistency, and confidence level before applying blocks or step-up checks.
• Build exception paths for legitimate privacy use Allow review-based handling for users whose traffic appears privacy-protected but not clearly evasive, so compliance controls do not collapse into blanket denial.
• Separate age assurance from network origin Use stronger identity and verification checkpoints for age-restricted access instead of relying on IP location or VPN presence as the primary control.
• Instrument policy decisions for auditability Log why a session was blocked, escalated, or allowed, including the signal combination that drove the decision, so compliance teams can defend outcomes later.

Key takeaways

• VPN use is now a compliance signal as much as a privacy choice, which means access policy must be based on context rather than simple network origin.
• Blanket VPN blocking creates operational and legal risk because it catches legitimate users along with people attempting to bypass restrictions.
• The strongest control pattern is layered decisioning, where VPN detection feeds step-up verification, auditability, and exception handling.

Key terms

• VPN Detection: VPN detection is the process of identifying whether a session appears to originate from a virtual private network. It is a contextual signal, not proof of malicious behaviour. Security teams use it to add scrutiny, not to decide intent on its own.
• Identity Assurance: Identity assurance is the level of confidence a service has that a user is who they claim to be and is allowed to proceed. In practice, it depends on the quality and combination of signals, not a single check such as IP address or network origin.
• Step-up Verification: Step-up verification is an additional authentication or review step triggered when the initial risk signal is not strong enough for a direct allow decision. It helps organisations balance user experience with compliance, especially when privacy tools weaken normal context.
• Contextual Access Decision: A contextual access decision uses multiple environmental and behavioural signals to decide whether a session should be allowed, denied, or escalated. It is more defensible than a binary rule because it reflects uncertainty instead of pretending certainty exists.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Fingerprint: UK VPN growth, the Online Safety Act, and device intelligence for compliance. Read the original.